MONSOON – ANALYSIS OF AN APT CAMPAIGN

Recommendations

Info

Forcepoint Security Labs | Special Investigations BADNEWS Weaponised Documents. The BADNEWS malware is typically packaged into a malicious document via an encrypted binary blob within that document. This binary blob often contains a legitimate decoy document that is shown to the user. On other occasions the decoy document is downloaded directly. CVE-2015-1641 has been observed as being exploited to drop BADNEWS. When the document exploit is triggered, the shellcode will drop the binary blob into the user's %temp% folder along with an encoded VBScript: Figure 15 – Binary Blob Dropped to %temp% The encoded VBScript uses a file extension which is not associated, by default, as being a VBScript file. The extensions .domx and .lgx have been observed. The shellcode is responsible for adding a new file association for the file extension which specifies that they should be interpreted as an encoded VBScript. Finally, the shellcode executes the encoded VBScript file which will extract the encrypted files from the binary blob, show the decoy document (if there is one), and execute the malware. The VBScript hard-coded sizes of the files to extract from the binary blob: Figure 16 – VB Extract of Blob MONSOON – ANALYSIS OF AN APT CAMPAIGN Revision: 1.07 | TLP-WHITE | 17/57
Forcepoint Security Labs | Special Investigations The decryption routine uses the encryption key "ludos” 7 to decrypt 32-byte chunks of the embedded files: Figure 17 – VB Decryption of Embedded Files Our analysis of BADNEWS can be found later in this document [Page: 22] 7 http://starwars.wikia.com/wiki/Ludos MONSOON – ANALYSIS OF AN APT CAMPAIGN Revision: 1.07 | TLP-WHITE | 18/57
Page 1 and 2: MONSOON - ANALYSIS OF AN APT CAMPAI
Page 3 and 4: Forcepoint Security Labs | Special
Page 17: Forcepoint Security Labs | Special

MONSOON – ANALYSIS OF AN APT CAMPAIGN

Create successful ePaper yourself

Delete template?

Save as template?