Rewterz Threat Alert – Multi-stage APT attack drops Cobalt Strike using Malleable C2 feature

Severity

High

Analysis Summary

A malicious Word document disguised as a resume is being distributed that uses template injection to drop a .Net Loader. This is the first part of a multi-stage attack associated to an APT attack. In the last stage, the threat actors used Cobalt Strike’s Malleable C2 feature to download the final payload and perform C2 communications. An intentional delay is seen in executing the payload from the malicious Word macro, until reboot, to evade detection. Hiding shellcode within an innocuous JavaScript and loading it without touching the disk, this APT group further thwarts detection by security products. The lure document was probably distributed through spear phishing emails as a resume from a person allegedly named “Anadia Waleed.” 

The malicious document uses template injection to download a remote template from the following url: 
https://yenile[.]asia/YOOMANHOWYOUDARE/indexb.dotm

Upon opening the file, three files are dropped into the victim’s machine: 
 

• Ecmd.exe: UserForm1 and UserForm2 contain two Base64 encoded payloads. Depending on the version of .Net framework installed on the victim’s machine, the content of UserForm1 (in case of .Net v3.5) or UserForm2 (other versions) is decoded and stored in “C:\ProgramData”. 
• cf.ini: The content of the “cf.ini” file is extracted from UserForm3 and is AES encrypted, which later on is decrypted by ecmd.exe. 
• ecmd.exe.lnk: This is a shortcut file for “ecmd.exe” and is created after Base64 decoding the content of UserForm4. This file is dropped in the Startup directory as a trigger and persistence mechanism. Ecmd.exe is not executed until after the machine reboots.

The shell code uses the Cobalt Strike Malleable C2 feature with a jquery Malleable C2 profile to download the second payload from “time.updateeset[.]com”. 
This technique has been used by two other recent Chinese APTs—Mustang Panda and APT41.  

Impact

• Systems Compromise
• Network-wide attack
• Unauthorized access to information

Indicators of Compromise

Domain Name

• time[.]updateeset[.]com
• yenile[.]asia

MD5

• 763813c3c549960378916366c8137855
• 3a269baf0c7d1de1f44397fdddafa1e7
• 987ceec8c3eb06feb020b2954bb93793
• c2707e94901c09b3575cf41aeaec40a1
• dbb3b0baf4743823cb124f2c74a7c67c

SHA-256

• dcaaffea947152eab6572ae61d7a3783e6137901662e6b5b5cad82bffb5d8995
• 7f1325c5a9266e649743ba714d02c819a8bfc7fd58d58e28a2b123ea260c0ce2
• 259632b416b4b869fc6dc2d93d2b822dedf6526c0fa57723ad5c326a92d30621
• aeb4c3ff5b5a62f5b7fcb1f958885f76795ee792c12244cee7e36d9050cfb298
• 7963ead16b6277e5b4fbd5d0b683593877d50a6ea7e64d2fc5def605eba1162a

SHA1

• 96ae7f0338a3ca729f18aa3f6cee31764c70daf9
• 04c0cad493eb739a66302dc84451df5db1911775
• 044b4ba0301a33a824143cab77b8a6630b6051d9
• 6e427249c476075b5fee256408ea66caef334b9e
• 9c22ca568129031c477e5f24655ea81b52088a48

URL

• https[:]//yenile[.]asia/YOOMANHOWYOUDARE/

Remediation

• Block the threat indicators at your respective controls.
• Do not download files attached in untrusted emails.