MONSOON – ANALYSIS OF AN APT CAMPAIGN
2aWUb2X
2aWUb2X
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Forcepoint Security Labs | Special Investigations<br />
BADNEWS Weaponised Documents. The BADNEWS malware is typically packaged into a malicious<br />
document via an encrypted binary blob within that document. This binary blob often contains a legitimate<br />
decoy document that is shown to the user. On other occasions the decoy document is downloaded<br />
directly.<br />
CVE-2015-1641 has been observed as being exploited to drop BADNEWS. When the document exploit is<br />
triggered, the shellcode will drop the binary blob into the user's %temp% folder along with an encoded<br />
VBScript:<br />
Figure 15 <strong>–</strong> Binary Blob Dropped to %temp%<br />
The encoded VBScript uses a file extension which is not associated, by default, as being a VBScript file.<br />
The extensions .domx and .lgx have been observed. The shellcode is responsible for adding a new file<br />
association for the file extension which specifies that they should be interpreted as an encoded VBScript.<br />
Finally, the shellcode executes the encoded VBScript file which will extract the encrypted files from the<br />
binary blob, show the decoy document (if there is one), and execute the malware.<br />
The VBScript hard-coded sizes of the files to extract from the binary blob:<br />
Figure 16 <strong>–</strong> VB Extract of Blob<br />
<strong>MONSOON</strong> <strong>–</strong> <strong><strong>AN</strong>ALYSIS</strong> <strong>OF</strong> <strong>AN</strong> <strong>APT</strong> <strong>CAMPAIGN</strong> Revision: 1.07 | TLP-WHITE | 17/57