The Inception attackers have got been active since at to the lowest degree 2014 too have got been documented previously past times both Blue Coat too Symantec; historical attacks used custom malware for a diversity of platforms, too targeting a arrive at of industries, primarily inwards Russia, but equally good about the world. This weblog describes attacks against European targets observed inwards Oct 2018, using CVE-2017-11882 too a novel PowerShell backdoor we’re calling POWERSHOWER due to the attending to special inwards damage of cleaning upward after itself, along amongst the malware beingness written inwards PowerShell.
Unit 42 has previously observed attacks from the grouping inwards 2017 against authorities targets inwards Europe, Russia, too Central Asia too expects these to remain the primary regions this threat is seen.
In the in conclusion writeup past times Symantec they pull a two-stage pike phishing procedure used past times the Inception attackers, whereby the attackers firstly shipping a reconnaissance pike phish, too follow this upward amongst a 2nd pike phish containing a remote template, which if loaded delivers a firstly phase payload.
In their most recent attacks it appears that alone ane document is used, but inwards a trend that allows them to non reveal their terminal payload immediately; however, the occupation of templates remains the same.
Remote Templates are Great
Remote templates are a feature of Microsoft Word which allow a document to charge a template to move used inwards a document – this template tin strength out move externally hosted, either on a file share, or on the internet. The template is thus loaded when the document is opened. The Inception attackers occupation this characteristic inwards a malicious context equally shown inwards Figure 1 below:
Figure 1. Overview of how the assault takes place.
Using a remote template inwards this trend has been a consistent characteristic of the Inception attackers’ attacks for the past times iv years too has 3 top dog benefits to the attacker:
- The initial document does non incorporate whatever explicitly malicious object, it merely references an external object, pregnant it should bypass static analysis techniques, an representative of how this appears inwards the document is shown inwards Figure 2.
- The assaulter has the selection to deploy malicious content to the victim based upon initial information received from the target, such equally Microsoft Word version (sent inwards the User-Agent) too the IP address of the target, see: Figure 1.
- Once the assault is over, too the server hosting the remote template is down, it is hard for researchers to analyze the assault equally the remote content is unlikely to move available to them.
Figure 2. Example of how remote templates are referenced inwards Inception documents.
When opened, the documents display decoy content too attempts to fetch a malicious remote payload via HTTP. The decoy content is unremarkably copied from media reports, ofttimes amongst political themes inwards the target regions, some examples of decoys observed are shown inwards Figure 3, including invites to international conferences too intelligence articles on the electrical flow province of affairs inwards Crimea.
Figure 3. Examples of decoys shown inwards Inception attacks inwards 2018. The firstly is taken from a VGOPAD invitation sent on Facebook inwards 2017, the 2nd is from a European Policy centre summary.
On most occasions the remote server did non furnish a malicious template, nonetheless nosotros of late observed ii cases where a malicious template containing ii exploits was served. In both cases the template contained exploits for both CVE-2012-1856 too CVE-2017-11882, which target vulnerabilities inwards Word disclosed too patched inwards 2012 too 2017 respectively.
The payload for the exploits was VBScript inwards an OLE packet object, which inwards plow decodes too executes POWERSHOWER, a unproblematic PowerShell backdoor.
POWERSHOWER – Malware that Cleans upward After Itself
Earlier, nosotros mentioned that previous attacks were patently delivered over ii pike phishing emails, amongst the firstly alone beingness used for reconnaissance. In the latest cases nosotros alone observed a unmarried document beingness sent to the targets, amongst reconnaissance, exploitation, too payload delivery happening on the firstly attempt.
The dropped payload, POWERSHOWER, acts equally an initial reconnaissance foothold too is nigh for sure used to download too execute a secondary payload amongst a to a greater extent than consummate laid upward of features. By alone using this unproblematic backdoor to works life a foothold, the assaulter tin strength out concur dorsum their most sophisticated too complex malware for later on stages, making them less probable to move detected.
In a nutshell, POWERSHOWER allows the assaulter to:
- Fingerprint the machine, too upload this information to the initial C&C.
- Clean upward a important amount of forensic bear witness from the dropper process, equally nosotros special below.
- Run a secondary payload, if the assaulter decides the target auto is sufficiently interesting (based on analysis of the organization information sent from the firstly beacon)
POWERSHOWER Analysis
POWERSHOWER firstly checks if Microsoft Word is currently running, if it is, thus the malware assumes it is the firstly run through of the malware too performs the next operations:
- Writes itself to %AppData%MicrosoftWordlog.ps1
- Sets upward persistence for this file, using a run key.
- Adds a registry fundamental thus that time to come powershell.exe instances are spawned off-screen past times default – this play tricks is explained here.
- Kills the Microsoft Word process.
- Removes all files created during the dropper process, including bear witness the master document was opened, the initial .VBS file, too all temporary files associated amongst the retrieval of the remote template inwards the IE temporary files directory.
- Removes all registry entries that are left behind during the dropper process.
- Collects organization information on the infected auto too POSTS it to the C2.
- Exits
If Microsoft Word is non running, the malware enters its top dog communications loop, performing the next actions inwards sequence, this loop should alone move entered after a reboot of the machine:
- Collects organization information too POSTs it to the C2.
- Performs a GET request
- Based on the condition code of the GET asking it volition branch operations:
- If the condition code is non 200, the malware sleeps for a random amount of fourth dimension betwixt around 25 minutes too 35 minutes, based on a randomly generated number.
- If the condition code is 200 the malware expects the reply to:
- Begin amongst an “P”; inwards which instance the malware writes the reply to disk, presumably to move executed or used inwards a subsequent command.
- Begin amongst an “O”; inwards which instance the malware assumes the reply contains VBS code which is saved to disk, thus executed.
- If non outset amongst either these characters, it is assumed to move an XML file containing PowerShell expression, which is written to disk, read into memory, deleted, too thus executed.
The code behind the top dog C&C loop is shown inwards Figure 4.
Figure 4. The top dog C&C loop.
Although the malware is unproblematic in ane lawsuit again it’s fairly effective, giving the assaulter options on how to run their next, to a greater extent than sophisticated, payload.
Conclusion
The Inception attacks driblet dead on to to a greater extent than ofttimes than non remain nether the radar, which inwards purpose is downward to the get pose inwards past times the attackers to brand their attacks harder to analyze. In the latest moving ridge of attacks, they’ve done this through:
- Use of remote templates, hindering analysis of historical attacks.
- Anti-forensics techniques used during the dropper procedure to foreclose clues equally to how the malware was installed – beingness left on disk or inwards the registry.
- Use of the novel basic POWERSHOWER backdoor equally a firstly stage, making it harder for researchers to instruct copies of to a greater extent than sophisticated payloads used past times the attackers.
Indicators of Compromise
Remote Template Documents where nosotros have got the matching payload
13de9678279b6ce6d81aeb32c0dd9f7458ad1f92aee17f3e052be9f06d473bed
d547773733abef19f2720d4def2356d62a532f64bcb002fb2b799e9ae39f805f
Remote templates analyzed
687ee860fd5cd9902b441c26d72788d5a52052d03047a9b071808fc4c53a7e8b
72eb022f395cc15bbe9582ee02f977ea0692932461a8b0bd608d9f0971125999
PowerShower sample
8aef4975d9c51821c4fa8ee1cbfe9c1f4a88c8784427d467ea99b2c1dabe15ae
Other related templates too exploit documents from 2018
49dbcf1fc8d3381e495089f396727a959885c1dd2ab6cd202cf3c4dbd1d27c4f
8b212ee2d65c4da033c39aebaf59cc51ade45f32f4d91d1daa0bd367889f934d
cc64a68ba52283f6cf5521cf75567b3c5b5143f324d37c59906ee63f1bbafcaf
2bcb8a4ddc2150b25a44c292db870124c65687444f96e078f575da69bbf018e0
Infrastructure
| First Seen | IP | Context |
| 20th July 2018 | 51.255.139[.]194 | Remote template host |
| 13th August 2018 | 188.165.62[.]40 | Remote template host |
| 10th Oct 2018 | 200.122.128[.]208 | POWERSHOWER C2 |
| 22nd Oct 2018 | 108.170.52[.]158 | Remote template host |
Table 1 – IP Addresses associated amongst Inception Remote Template documents
