Weapon :
The document file (Gamb1Docx.docx) used as weapon of this attack.
It contains script file for download info.cab file and extract it. Then run debug.exe.
Exploitation :
After downloading and extracting info.cab file. Then execute debug.exe file.
Debug.exe file is clean on OSINT and sign by Google Inc.
Product name : google update.
SHA256 : ec7e883e7af38bf3ac0ac513cfde0186038443e9acc7ad616ee6bd0ec09aacb9 .
Once debug.exe run, It will load malicious goopdate.dll file. This technique is called DLL Side-Loading.
Installation:
Debug.exe (2608) :
First debug.exe file had been run by script on docx file.
Debug.exe (6528) :
First debug.exe process created new service name spooller (HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Spooller), then run it; second debug.exe process ran as service.
Msiexec.exe :
After running second debug.exe process will create new process Misexec.exe (legitimate and sign by Microsoft), But the malware will inject malicious code on msiexec.exe process and change execution follow to run malicious code.
** This behavior of calling APIs by this sequence, On first time looks like “process hollowing” technique, but doesn't .
Svchost.exe :
The same behavior (inject malicious code to legitimate process )used again on Svchost.exe.
Command and Control :
The Malware after resolving malicious domain, it tried to access server via TCP_Port:53.
betwln520[.]com
www[.]kkxx888666[.]com
IOCs:
Recommendation :
- Monitor windows process(cmd, powershell …) options like (download file, expand and start-process).
- Monitor Process/DLL loading from same folder, especially %temp% folder.
- Monitor unknown ports for common protocol, like HTTP/HTTPS over port 53.
- EDR solution to block advance behavior as example (process hollowing and process injection).
- Block IOCs.
References :
https://papers.vx-underground.org/archive/APTs/2021/2021.01.04/Paper/APT%2027.pdf
https://documents.trendmicro.com/assets/white_papers/wp-uncovering-DRBcontrol.pdf
