Bitdefender Labs experts have discovered a new malware family. The sophisticated and very targeted attack called DownEx is currently still targeting government agencies in Central Asia. Companies operating in these regions can also become victims.
The main goal of the attackers is espionage and exfiltration of information. The malicious code of the fileless attack is largely only executed in the main memory and is therefore difficult to detect. By analyzing the Python script and reverse engineering the communication with the command-and-control (C2C) server, the experts were able to identify four main functions of the malware: It enables hackers to specifically scan for files, to exfiltrate them, to delete or take screenshots of screen contents of affected systems.
Espionage: In search of confidential data
The authors of the campaign are particularly interested in confidential data, such as those with the extension .pgp (Pretty Good Privacy) or .pem (Privacy Enhanced Mail). The hackers also look for financial data, such as QuickBooks log files (.tlg extension).
The domain and IP addresses associated with the campaign are new. The malicious code shows no similarities to previously known malware. Bitdefender Labs was the first to spot the new malware campaign and named it DownEx.
Targeted attacks on companies
The hackers specifically target selected victims. The original attack vector is not clear, but spear phishing and social engineering are probably at the beginning of every attack. To display the payload, the cybercriminals use a classic and simple icon with a .docx file that disguises an executable file as a malicious payload. Second payload is an .hta file (but without this file extension) with embedded malicious VBScript code that connects the compromised system to the C2C server. An .hta (HTML Application) file contains VBScript, HTML, CSS, or JavaScript code that runs as a standalone application in Windows operating system environments. The subsequent communication between the server and the victim system, which is difficult to detect, runs via the Python-based backdoor help.py.
Russian background? – State background!
Indicators and techniques used can point to a Russian background of the actors. However, no definitive statements can be made on this. The metadata of the document used with the given identity of a diplomat could be an indication.
Do you have a moment?
Take a few minutes for our 2023 user survey and help make B2B-CYBER-SECURITY.de better!You only have to answer 10 questions and you have an immediate chance to win prizes from Kaspersky, ESET and Bitdefender.
Here you go directly to the survey
Likewise, the malware uses a cracked version of Microsoft 2016, which is mainly distributed in Russian-speaking countries ("SPecialisST RePack" or "Russian RePack by SPecialiST"). The backdoor is also written in two languages. This practice is known from the Russia-based APT28 group and its Zebrocy backdoor. However, these indications are not sufficient. The state background to the highly targeted attack is obvious. The metadata of the Word document indicates an actual diplomat as the supposed sender.
More at Bitdefender.com
About Bitdefender Bitdefender is a leading global provider of cybersecurity solutions and antivirus software, protecting over 500 million systems in more than 150 countries. Since it was founded in 2001, the company's innovations have consistently ensured excellent security products and intelligent protection for devices, networks and cloud services for private customers and companies. As the supplier of choice, Bitdefender technology is found in 38 percent of security solutions deployed around the world and is trusted and recognized by industry experts, manufacturers and customers alike. www.bitdefender.de