GZipDe Downloader spotted serving a Metasploit backdoor

Security experts from AlienVault have spotted a new piece of malware named GZipDe that was used in a cyber-espionage campaign.

GZipDe is downloader that is used by threat actors to fetch other payloads from a server controlled by attackers.

The malware was detected after user from Afghanistan has uploaded a weaponized Word document on VirusTotal service, the document refers to the Shanghai Cooperation Organization Summit.

At the time it is not possible to attribute the malicious code to a specific actor, VirusTotal doesn’t share information about the source of the upload and the target of the attack was not disclosed, the researchers were only able to analyze the sample.

“It seems very targeted,” Chris Doman, a security researcher with AlienVault told Bleeping Computer. “Given the decoy document is in English and uploaded from Afghanistan, it may have been targeting someone in an embassy or similar there.”

The malicious code was a multi-stage malware, the attack chain starts with a spear-phishing message spreading the weaponized Word document, the final goal appears to be the delivery of a Metasploit backdoor.

“This is the first step of a multistage infection in which several servers and artifacts are involved. Although the final goal seems to be the installation of a Metasploit backdoor, we found an interesting .NET downloader which uses a custom encryption method to obfuscate process memory and evade antivirus detection.” reads the report published by Alien Vault.

The document was designed to trick victims into enabling macros, which then executes a Visual Basic script stored as a hexadecimal stream, and executes a new task in a hidden Powershell console which downloads a PE32 executable. The ultimate step consists of the delivery of the GZipDe malware.

 

The GZipDe downloader was written in .NET, and implements a custom encryption method to obfuscate process memory and evade antivirus detection.

While investigating the GZipDe downloader the experts noticed that the server used to store the payloads that were fetched by the malware was down.

Further investigation allowed AlienVault to find information about the server on the Shodan search engine that had indexed it and recorded it serving a Metasploit backdoor.

“The payload contains shellcode that contacts the server at 175.194.42[.]8. Whilst the server isn’t up, Shodan recorded it serving a Metasploit payload:”

“The server, 175.194.42[.]8, delivers a Metasploit payload. It contains shellcode to bypass system detection (since it looks to have a valid DOS header) and a Meterpreter payload – a capable backdoor. For example, it can gather information from the system and contact the command and control server to receive further commands.”

The shellcode loads the entire DLL into memory, it is a fileless malware that could allow attackers to transmit any other payload in order to acquire elevated privileges and perform lateral movements within the local network.

The choice of Metasploit is not a novelty, APT groups like Cobalt Strike and CopyKittens adopted it in their campaigns to make hard the attribution of their attacks.

Technical details including IoCs are reported in the analysis published by AlienVault.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – GZipDe , malware)

[adrotate banner=”5″]

[adrotate banner=”13″]