Criminals exploit PowerPoint documents and blog infrastructure to deliver RAT and steal cryptocurrency
DarkLab has recently responded to cybercriminal phishing attempts in APAC exploiting unusual tactics, techniques and procedures (TTPs). While most phishing we observe contain MS Word or Excel attachments, this one exploited malicious PowerPoint (.ppt) files to eventually deploy AsyncRat malware and a bitcoin stealer.
Exploitation of PowerPoint attachments is not entirely new. However, it is rare enough to remain uncommon and therefore increase the chances that unaware users would open malicious attachments.
This phishing campaign, likely still active, appears to be focused on Asia, particularly China, although we also found samples uploaded on a popular multi-vendor AV scanner from countries in Europe. Most of the titles of the malicious documents are generic. However, the use of titles such as “Hotel Doc” for some of their lures suggests that the hospitality industry is one of the sectors targeted.
Phishing lure analysis
The first phishing email we picked up caught our attention for its use of Traditional Chinese characters used in Hong Kong and Taiwan, as opposed to the Simplified Chinese used in Mainland China. The email included a malicious PowerPoint attachment named 付款詳情.ppt [MD5:
8311c59ef727826c4b54e182a956e312], which contains malicious and obfuscated macros. The macro only executes when the file is closed by the user, in a likely attempt to avoid raising the victim’s suspicion.
Fig 1 – Deobfuscated payload [MD5: 127538a7d8703ec96a5e39e9fd235c06]
After deobfuscation it is clear that the VBA macro leverages the legitimate binary mshta.exe to connect to a hardcoded URL masked with the j.mp URL shortening service. The hardcoded URL eventually redirects to tumharimaakachodamarunmaine[.]blogspot[.]com/p/3-sunda-10-origin[.]html
Attack infrastructure and timeline
J.mp is a separate address for the better known bit.ly shortening service. According to bitly’s statistics, the malicious URL discovered was created at the end of February.
Fig 2 – bitly creation data for the malicious URL
The URL points to a server used by the threat actor to stage a range of malicious payloads, from cryptocurrency stealers to an open source remote access trojan (RAT). We will get to that in a second.
Pivoting on the identified staging server revealed a significant number of additional attack infrastructure, a new URL for each phishing document. These servers were all hidden behind the same j.mp shortening server and hosted on Blogspot infrastructure.
By checking the URLs creation date on bitly we were able to get a timeline of the malicious campaign, which shows how the threat actor behind it has been active since the beginning of the year and has recently increased their activity.
Fig 3 – timeline of attack infrastructure set up
In terms of payload, we could only examine one malicious URL [Tumharimaakachodamarunmain[.]blogspot[.]com/p/42[.]html] and found a number of scripts. We suspect that other URLs may host different payloads.
Fig 3 – Screenshot of the malicious webpage
The first script executes a set of VBScripts that fetch the content of the following link:
The file is deobfuscated and dropped on %Public%\bin.vbs before execution, and it aims at disabling security controls for subsequent malware executions.
Fig 4 – First script disables system’s security settings
The second script reaches out to the following URL, again with MSHTA : mylundisfarbigthenyouthink.blogspot.com/p/42.html
It contains three additional payloads to disable security defences and hiding attackers’ windows to hide malicious activity.
Then, an additional PowerShell script is executed by loading the script from two additional sites depending on the system architecture.
The payload will reflectively load two additional samples: a heavily obfuscated DLL with anti-analysis mechanisms [MD5: d1a426b9afe2ca1e56cdf48523c684e3], and an open source RAT called AsyncRat [MD5: 47c012de1faac9be5a860b600a06c5ee].
AsyncRat is able to send and receive commands, record keystrokes and screenshots, and upload/download files via SFTP, among other functions.
The threat actors also tries to steal victims’ cryptocurrencies by replacing the legitimate wallet address with one controlled by the attackers. This is done via the Powershell script shown below that looks for BTC wallets addresses in the clipboard and and replaces them with another one. Our research into the attacker’s BTC address shows that it had two small transactions, suggesting the attacker had so far only limited success.
Fig 4 – PowerShell script for cryptocurrency theft
Finally, the last script downloaded from the stager domain attempts to terminate instances of excel.exe and winword.exe in attempt to hide attacker’s tracks.
The attacker’s exploitation of open source malware and abuse freely available Blogspot URLs as malicious infrastructure highlights the increasing lowering barrier of entry for cybercriminal operations in Asia. Despite the relatively low-level nature of this threat in terms of technical sophistication, the use of malicious PowerPoint attachments shows some innovation in their social engineering tactics. Overall, this campaign shows how even low-cost but complex cybercriminal campaigns can pose a threat to organisations by leveraging unusual social engineering techniques and open source tools.
Indicators of Compromise
Feel free to contact us at [darklab dot cti at hk dot pwc dot com] for any further information.