The malicious document was submitted from South Korea to Virus Total on December 29 at 09:04, a day after the original email was sent to the target list. The email was sent from the IP address 43.249.39.152, in Singapore, on December 28 at 23:34. The attacker spoofed the message to appear to be from info@nctc.go.kr, which is the National Counter-Terrorism Center (NCTC) in South Korea. The timing is interesting because the NCTC was in the process of conducting physical antiterror drills in the region in preparation for the Olympic Games. The spoofed source of this email suggests the message is legitimate and increases the chances that victims will treat it as such.<\/p>\n
Based on our analysis of the email header, this message did not come from NCTC, rather from the attacker\u2019s IP address in Singapore. The message was sent from a Postfix email server and originated from the hostname ospf1-apac-sg.stickyadstv.com. When the user opens the document, text in Korean tells the victim to enable content to allow the document to be opened in their version of Word.<\/p>\n
The malicious document with instructions to enable content.<\/em><\/p>\n The enable content message.<\/em><\/p>\n The document contains an obfuscated Visual Basic macro:<\/p>\n Visual Basic macro.<\/em><\/p>\n The malicious document launches a PowerShell script when the user clicks \u201cEnable Content.\u201d The document was created on December 27 at 15:52 by the author \u201cJohn.\u201d<\/p>\n The malicious document launches the following PowerShell script:<\/p>\n Manually executing the PowerShell script at the command line.<\/em><\/p>\n The script downloads and reads an image file from a remote location and carves out a hidden PowerShell implant script embedded within the image file to execute.<\/p>\n The attackers used the open-source tool Invoke-PSImage, released December 20, to embed the PowerShell script into the image file. The steganography tool works by embedding the bytes of a script into the pixels of the image file, giving the attacker the ability to hide malicious PowerShell code in a visible image on a remote server. The following script can be identified as generated by Invoke-PSImage to execute the attacker\u2019s implant in an image from a remote server.<\/p>\n The initial PowerShell script.<\/em><\/p>\n The image that contains the hidden PowerShell code.<\/em><\/p>\n To verify the usage of steganography, we employed the tool StegExpose to check the file:<\/p>\n The result confirms the presence of hidden data in our file.<\/p>\n Once the script runs, it passes the decoded script from the image file to the Windows command line in a variable $x, which uses cmd.exe to execute the obfuscated script and run it via PowerShell.<\/p>\n &&set\u00a0 xmd=echo\u00a0 iex (ls env:tjdm).value ^| powershell -noni\u00a0 -noex\u00a0 -execut bypass -noprofile\u00a0 -wind\u00a0 hidden\u00a0\u00a0\u00a0\u00a0 – && cmd\u00a0\u00a0 \/C%xmd%<\/p>\n The extracted script is heavily disguised, using a combination of string-format operator obfuscation and other string-based obfuscation techniques.<\/p>\n The obfuscated PowerShell implant script.<\/em><\/p>\n The attacker\u2019s objective is to make analysis difficult and to evade detection technologies that rely on pattern matching. Because the obfuscation makes use of native functions in PowerShell, the script can run in an obfuscated state and work correctly.<\/p>\n Obfuscated control servers.<\/em><\/p>\n When we deobfuscate the control server URLs, the implant establishes a connection to the following site over SSL:<\/p>\n hxxps:\/\/www.thlsystems.forfirst.cz:443\/components\/com_tags\/views\/login\/process.php.<\/p>\n Based on our analysis, this implant establishes an encrypted channel to the attacker\u2019s server, likely giving the attacker the ability to execute commands on the victim\u2019s machine and to install additional malware. Ultimately this PowerShell implant will be set to automatically start daily at 2 am via a scheduled task (shown below). The view.hta contains the same PowerShell-based implant and establishes a remote connection over SSL to hxxps:\/\/200.122.181.63:443\/components\/com_tags\/views\/news.php.<\/p>\n C:\\Windows\\system32\\schtasks.exe” \/Create \/F \/SC DAILY \/ST 14:00 \/TN “MS Remoute Update” \/TR C:\\Users\\Ops03\\AppData\\Local\\view.hta<\/p>\n The contents of view.hta.<\/em><\/p>\n During our research, we discovered a cached Apache server log for the IP address 81.31.47.101, which is shared hosting. This log contained information for the control server thlsystems.forfirst.cz, which showed an IP address from South Korea connecting to the specific URL paths contained in the PowerShell implants. This indicates that the implant was active in South Korea and targets were likely being infected.<\/p>\n Apache server log from December 29, 2017.<\/em><\/p>\n While investigating thlsystems.forfirst.cz we discovered that the webpage belongs to a legitimate entity, suggesting this is a compromised server being used as both an encrypted backchannel for the attacker and the distribution of implants. The server also hosts a copy of the obfuscated PowerShell implant.<\/p>\n The implant establishes an encrypted channel to the following URL path:<\/p>\n hxxps:\/\/www.thlsystems.forfirst.cz:443\/components\/com_tags\/views\/admin\/get.php<\/p>\n![\"\"](\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2018\/01\/20180104-Olympics-1.png\")
<\/a><\/p>\n<\/a><\/p>\n<\/a><\/p>\n<\/a><\/p>\n<\/a><\/p>\n<\/a><\/p>\n<\/a><\/p>\n<\/a><\/p>\n<\/a><\/p>\n<\/a><\/p>\n<\/a><\/p>\n<\/a><\/p>\n