Likely Advanced Persistent Threat (APT) cyber actors have targeted US private sector and government networks since August 2016 with spear phishing campaigns, using newly identified exploits contained within lures related to foreign affairs and the recent US presidential election. The FBI analyzed malicious Microsoft Office documents, a zip archive, a first-stage downloader, a second-stage in-memory-only PNG wrapped malware, and a BAT-initiated PowerShell script associated with the campaigns. This FLASH provides rules and signatures to assist in network defense efforts.
FBI analysis indicates exploitation begins with a victim receiving a spear phishing email containing either a malicious Microsoft Office document that will drop and execute the first-stage downloader or a link to a zip archive containing both the first and second stages. Once dropped to disk, the first-stage implant is responsible for downloading and loading the second-stage in-memory-only PNG wrapped malware, at which point the second-stage malware will conduct malicious activities.
The env.bat-initiated PowerShell script appears to be another Remote Access Tool (RAT) associated with the campaign. It creates a Net.WebClient object and uses the DownloadData() and UploadData() functions for network communication. The WebClient object is setup with GetDefaultProxy() and DefaultCredentials, so it is authenticating-proxy-aware.
In an attempt to blend in with “natural” network communications, the PowerShell script first attempts to connect to http://gmail.com or http://google.com (chosen randomly) and only proceeds if the connection succeeded. It also attempts a request to the callback base URL + /favicon.ico every 12 hours. There are also several sleep statements throughout, which will cause some variance in the periodicity of the network activity.
When a connection to the RAT controller is successful, the returned HTML is searched for IMG tags and parsed if the ALT value is “Send message to contact” and the SRC value contains a comma followed by a base64 string. The base64 string is then extracted, parsed using a custom unpacking method, decrypted, unpacked some more, and eventually passed to an Invoke-Expression call.
This toolset, and these adversaries, are known for using in-memory-only modules, so any network defense measures should include imaging of the device’s memory before any shutdown or reboot of the suspected compromised system.
The Powershell script attempts to read the Registry key “HKEY_CURRENT_USER\Software\Apple Inc\Updater” and key value name “EditFlags.” This appears to be a fairly unique value, but we encourage testing in your environment before deploying detection capabilities broadly.
The following User-Agent string was found hardcoded within the PowerShell implant. All communications thus far have been seen over HTTPS, so it may only be signaturable if you use SSL-inspection or a host-based solution for inspecting network communications.
Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0)