Rewterz Threat Advisory – New GZipDe Malware Drops Metasploit Backdoor

This is an advisory on a recent malware strain which lures users into enabling macros. This will execute a Visual Basic script running a PowerShell code.

IMPACT:  CRITICAL

PUBLISH DATE:  24-06-2018

OVERVIEW

AlienVault has discovered a new Malware strain called GZipDe used to drop backdoors. In this multistage attack, a Word document gets users to enable macros which execute Visual Basic scripts running some PowerShell code. This will download a PE32 executable which will later drop the actual Malware GZipDe.

BACKGROUND INFORMATION

A user from Afghanistan embedded the malware in a word file and uploaded it on VirusTotal, which is believed to be a part of a cyber espionage. The malware GZipDe is encoded in .NET and uses a customized coding method to blur the process memory and escape antivirus detection.

The document uses text from an article about the Shanghai Cooperation Organization Summit, a conference from last month about Eurasian political, economic and security topics.

EXECUTIVE SUMMARY

The infection process comprises of multiple layers using Metasploit module. The Metasploit is a framework that security researchers use for conducting penetration tests to detect vulnerabilities. It was modified into a backdoor which gathers information from the system and forwards it to the attacker via C&C server and receives further instruction.

This is not the first time that Metasploit is used for cyber-attacks. Hackers now tend to use ready-made tools like Metasploit rather than custom-designing tools for every attack.

The custom-encryption of GZipDe enables it to escape the anti-virus detection as it is coded in .NET and confuses the process memory. Once activated, GZipDe downloads another potent threat from a remote server.

It drops a Metasploit based backdoor in the system to execute further malicious commands.

This shell code loads the entire DLL into memory, hence operating successfully without writing anything on the disk. Having reached this point, the attacker gains the ability to drop further payloads to acquire elevated privileges and move within the local network. The hacker can steal information which was available to privileged employees only.

WORK FLOW

IMPACT ANALYSIS

GZipDe Malware contains an encrypted payload which consists of a Base64 string compressed as a ZIP that is customencrypted with a symmetric key algorithm. The shell code present in the payload contacts the command & control server to grab the Metasploit payload. The Metasploit payload containing the shell code bypasses the Anti-virus  detection and creates a backdoor using Meterpreter payload.

Once the backdoor is opened, it starts to steal sensitive information from the system and forwards it to the attacker via C&C server.

RESOLVE

The following Indicators of Compromise should be blocked at Proxy and Edge Firewall.

Indicators of Compromise (IOCs):

URLs:

• hxxp://118[.]193[.]251[.]137/dropbox/?p=BT67HU78HZ
• hxxp://118[.]193[.]251[.]137/dropbox/filesfhjdfkjsjdkfjsdkfjsdfjksdfjsdkfasdfjnadsfjnasdnj/utorrent[.]exe

IPs:

• 118[.]193[.]251[.]137
• 175[.]194[.]42[.]8

If you think you are a victim of a cyber-security attack. Immediately send an email to info@rewterz.com for a rapid response.