A new piece of, what appears to be, highly targeted malware has been discovered by researchers at AlienVault. The new malware strain, dubbed GzipDe and most likely used in cyber-espionage campaigns, uses an article about the next Shanghai Cooperation Organization Summit.
More about the GzipDe Malware Operation
About a week ago, researchers detected a new malicious document targeting this area. Apparently, the document has included a piece of text taken from the report as a decoy.
AlienVault discovered a booby-trapped Word document on VirusTotal which was published by a user from Afghanistan. This is how they unearthed the malware.
The above-mentioned booby-trapped document (.doc file) is the first step of a multistage infection in which several servers and artifacts are deployed. The final stage of the malicious operation appears to be the installation of a Metasploit backdoor. However, this is not as interesting as the .NET downloader, which uses a custom encryption method to obfuscate process memory and evade antivirus detection.
The malicious document tricked users into enabling macros, which once enabled executed a Visual Basic script. Then the script ran some PowerShell code, which subsequently downloaded a PE32 executable. The process ended with the actual malware — GZipDe – the researchers reported.
GZipDe appears to be coded in .NET, and it is designed to use “a custom encryption method to obfuscate process memory and evade antivirus detection.” Since the initial purpose of GzipDe is to act as a downloader, it means that the malware will download a more dangerous piece from a remote server. However, during the researchers’ investigation, the remote server was over which usually would end the analysis. However, it turned out Shodan, the IoT search engine, indexed the server and even recorded it serving a Metasploit payload.
The server, 175.194.42[.]8, delivers a Metasploit payload. It contains shellcode to bypass system detection (since it looks to have a valid DOS header) and a Meterpreter payload – a capable backdoor. For example, it can gather information from the system and contact the command and control server to receive further commands.
In addition, the shellcode loads the entire DLL into memory, thus enabling it to operate while no information is written into the disk. This operation is known as Reflective DLL injection. From this point, the attacker can transmit any other payload in order to acquire elevated privileges and move within the local network, the researchers concluded.
Milena Dimitrova
An inspired writer and content manager who has been with SensorsTechForum since the project started. A professional with 10+ years of experience in creating engaging content. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles! Follow Milena @Milenyim
Follow Me: