PowerShell used for spreading Trojan.Laziok through Google Docs

Introduction

Through our multi-flow detection capability, we recently identified malicious actors spreading Trojan.Laziok malware via Google Docs. We observed that the attackers managed to upload the payload to Google Docs in March 2016. During the brief time it was live, users accessing the malicious page from Internet Explorer (versions 3 to 11) would have become the unwilling hosts for the infostealer payload without any security warning. After we alerted Google about its presence, they quickly cleaned it and the original URL involved in propagation also went down.

The Payload

Trojan.Laziok reportedly serves as a reconnaissance tool that attackers use to collect information about systems they have compromised. It has been seen previously in a cyber espionage campaign targeting the energy sector, particularly in the Middle East[i]. In that campaign, the malware was spread using spam emails with malicious attachments exploiting the CVE-2012-0158 vulnerability.

The techniques used for delivery in this case involve exploiting users running versions of Internet Explorer that support VBScript.

Attack Delivery Point

The attacker stored the first stage of the attack on the Polish domain hosting site cba[.]pl. As seen in Figure 1, the first stage initiates the attack by running obfuscated JavaScript from www.younglean. cba[.]pl/lean/.

Figure 1. Obfuscated code shown in the response

Once decoded, the JavaScript unpacks and runs vulnerability CVE-2014-6332 through VBScript execution in Internet Explorer (versions 3 to 11), exploiting the memory corruption vulnerability in Windows Object Linking and Embedding (OLE) Automation to bypass operating system security utilities and other protections and thus enabling attackers to enter into ”GodMode” function. CVE-2014-6332 usage, along with GodMode privileges abuse, has been used as a combination since late 2014 via a known PoC[ii], as seen Figures 2a and 2b:

Figure 2a. CVE-2014-6332 usage

Figure 2b. Function call to runmumaa() after “GodMode” access changing the safemode flags

Next, the runmaa() function downloads the malicious payload from Google Docs through PowerShell. PowerShell is used to download malware and execute it inside defined %APPDATA% environment variable path via DownloadFile and ShellExecute commands. All VBScript instructions and PowerShell scripts are part of the obfuscated script inside document.write(unescape), shown in Figure 1.

PowerShell is also useful for bypassing anti-virus software because it is able to inject payloads directly in memory. We have previously discussed active PowerShell data stealing campaigns from Russia[iii]. It seems the technique is still popular among campaigns involving infostealers, and this one was able to evade Google Docs security checks. The payload download link from Google Docs – seen in Figure 3 showing the de-obfuscated code – fetched live malware for victims who ended up on the aforementioned Polish website.

Figure 3. Using PowerShell to fetch payload hosted on Google docs link

Payload Details

The downloaded payload is infostealer Trojan.Laziok, as evidenced by its callback trace and the presence of the following data:

00406471 PUSH 21279964.00414EED ASCII “open”
0040649C MOV EDX,21279964.004166A8 ASCII “idcontact.php?COMPUTER=”
004064B1 MOV EDX,21279964.00415D6D ASCII “&steam=”
004064D2 MOV EDX,21279964.00416D96 ASCII “&origin=”
004064F3 MOV EDX,21279964.00416659 ASCII “&webnavig=”
00406514 MOV EDX,21279964.00416B17 ASCII “&java=”
00406535 MOV EDX,21279964.00415601 ASCII “&net=”
00406556 MOV EDX,21279964.00414F76 ASCII “&memoireRAMbytes=”
0040656B MOV EDX,21279964.0041628C ASCII “&diskhard=”
0040658E MOV EDX,21279964.00414277 ASCII “&avname=”
004065AF MOV EDX,21279964.00416BFC ASCII “&parefire=”
004065D0 MOV EDX,21279964.0041474A ASCII “&install=”
004065E5 MOV EDX,21279964.00414E12 ASCII “&gpu=”
00406606 MOV EDX,21279964.004164B7 ASCII “&cpu=”
00406659 MOV EDX,21279964.004170F9 ASCII “bkill.php”
004066B9 MOV EDX,21279964.00415B79 ASCII “0000025C00000C6B000008BB000006ED0000088900000453000004CE0000054100000B75”
004066ED MOV EDX,21279964.004149CD ASCII “install_info.php”
00406735 MOV EDX,21279964.00415951 ASCII “pinginfo.php”
00406772 MOV EDX,21279964.00416B6B ASCII “get.php?IP=”
00406787 MOV EDX,21279964.0041463F ASCII “&COMPUTER=”
0040679C MOV EDX,21279964.00416DF5 ASCII “&OS=”
004067B1 MOV EDX,21279964.00415CB8 ASCII “&COUNTRY=”
004067C6 MOV EDX,21279964.00416069 ASCII “&HWID=”
004067DB MOV EDX,21279964.00414740 ASCII “&INSTALL=”
004067F0 MOV EDX,21279964.00415BE3 ASCII “&PING=”
00406805 MOV EDX,21279964.004158E2 ASCII “&INSTAL=”
0040681A MOV EDX,21279964.00414D3E ASCII “&V=”
0040682F MOV EDX,21279964.00414E5D ASCII “&Arch=”
00406872 MOV EDX,21279964.00414166 ASCII “post.php”
00406899 MOV EDX,21279964.00414EB0 ASCII “*0”

Above instructions of the payload, when unpacked, highlight the typical traits of Trojan.Laziok. The infostealer tries to collect information about computer name, CPU details, RAM size, location (country), and installed software and antivirus (AV). Our MVX engine also shows that it attempts to access popular AV files, such as installer files for Kaspersky, McAfee, Symantec and Bitdefender. It also blends in by copying itself to well-known folders and processes such as:

C:\Documents and Settings\admin\Application Data\System\Oracle\smss.exe

The payload attempts to call back to a known bad Polish server [hxxp://]193.189.117[.]36]

We observed the first instance of this attack on March 13, 2016. The malware was available on Google Docs until we alerted Google about its presence. Users are not usually able to download malicious content from Google Docs because Google actively scans and blocks malicious content. The fact that this sample was available and downloadable on Google Docs suggests that the malware evaded Google’s security checks. Following our notification, Google promptly removed the malicious file and it can no longer be fetched.

Conclusion

FireEye’s multi-flow detection mechanism catches this at every level, from the point of entry to the callback – and the malware is not able to bypass FireEye sandbox security. PowerShell data stealing campaigns have also been observed spreading through document files with embedded macros, so corporate environments need to be extra careful regarding the policy and regulation of PowerShell usage – especially since the abuse can involve some trusted sources that sometimes have exemptions, with whitelists from some security vendors being one example. Or they can keep using FireEye.

[i] http://www.symantec.com/connect/blogs/new-reconnaissance-threat-trojanlaziok-targets-energy-sector
[ii] http://blog.trendmicro.com/trendlabs-security-intelligence/a-killer-combo-critical-vulnerability-and-godmode-exploitation-on-cve-2014-6332/
[iii] https://www.fireeye.com/blog/threat-research/2015/12/uncovering_activepower.html