Today we have one of a sample had been linked to APT34, based on CheckPoint report.
“In this latest campaign from January, a document submitted to VirusTotal from Lebanon (a common target for APT34), also depicts such a job opportunity document, although in this case we were unable to confirm the initial delivery mechanism to the target”
Weaponization:
Job-Details.doc Microsoft document file contains information about Niva company and list of jobs opened on it, But after enabling Macro.
Exploitations :
After victim enables the MACRO to show file details. There is automatic function (Docment_Open) will run, once file opened.
Firstly, the function gets victim hostname and username to generate unique ID for victim.
Application.MouseAvailable // ANTI-SANDBOXING TECHNIQUES
Then reads data from document and decrypt it by custom based64 function.
When victim close document, function (Document_Close)will run. It checks anti-sandboxing techniques again.
Then used list of calls to create new Schedule Task and rename b.doc file to SystemFailureReporter.exe .
Installation :
After dropping execute file (SystemFailureReporter.exe) on writable path, Then Macro Create Schedule Task as persistence mechanism.
Command & Control :
There are two C2 servers, firstly the Macro code generated unique victim ID and append to random number and stage level for the malware reach it.
Second server was used by SystemFailureReporter.exe
IOCs :
Recommendation:
- Block IOCs.
- Monitoring unusual DNS requests.
- Monitoring Create/Update ScheduleTask. (EventCode=4698, Command and Arguments).
// For Hunting //Powershell script to prints all schedule tasks.
Get-ScheduledTask -TaskPath \*|
ForEach-Object {
[pscustomobject]@{
Name = $_.TaskName
Path = $_.TaskPath
LastResult = $(($_ | Get-ScheduledTaskInfo).LastTaskResult)
NextRun = $(($_ | Get-ScheduledTaskInfo).NextRunTime)
Status = $_.State
Command = $_.Actions.execute
Arguments = $_.Actions.Arguments
}
}
Reference :
