This blog post was authored by Hossein Jazi.
On November 10 we identified a multi-stage PowerShell attack using a document lure impersonating the Kazakh Ministry of Health Care, leading us to believe it targets Kazakhstan.
A threat actor under the user name of DangerSklif (perhaps in reference to Moscow's emergency hospital) created a GitHub account and uploaded the first part of the attack on November 8.
In this blog we will review the different steps the attacker took to fly under the radar with the intent on deploying Cobalt Strike onto its victims.
The attack started by distributing a RAR archive named "Уведомление.rar" ("Notice.rar"). The archive file contains a lnk file with the same name pretending to be a PDF document from "Ministry of Health Care, Republic of Kazakhstan". Upon opening the lnk file, a PDF file will be shown to confuse victims while in the background multiple stages of this attack are being executed. The decoy document is an amendment for a Covid 19 policy that has been issued by the Chef State Sanitary of the Republic of Kazakhstan.
The following figure shows the overall process of this attack. The attack started by executing the lnk file that calls PowerShell to perform several techniques such as privilege escalation and persistency through an autorun registry key. We will provide the detailed analysis in the next section.
All stages of this attack have been hosted in one Github repository named GoogleUpdate. This repository was created on November 8th by a user named DangerSklif. The DangerSklif user was created on GitHub on November 1st.
The embedded lnk file is obfuscated and after de-obfuscation we can see that it used cmd.exe to call PowerShell to download and execute the first stage of the attack from the Github account (lib7.ps1).
The lib7.ps1 downloads the decoy PDF file from the same Github account and stores it in the Downloads directory. In the next step it opens the decoy PDF to confuse the user while it performs the rest of process in the background, which includes getting the OS version and downloading the next stage based on the OS version.
If the OS version is 7 or 8, it downloads and executes lib30.ps1 and if the OS version is 10 it downloads and executes lib207.ps1. The reason the actor is checking the OS version is because it is trying to execute the right privilege escalation method. These techniques previously used by TA505 in their campaign to drop SrvHelper.
- Using the SilentCleanup task in the Task Scheduler to bypass UAC in Windows 10: Attacker used Lib207.ps1 to bypass UAC in Windows 10. The PowerShell commands used to perform the bypass are XOR encrypted using 0x58 key.
After decrypting the commands, we can see the process of UAC bypass which includes creating a SilentCleanup task in the Task Scheduler that calls PowerShell to execute the created vbs file with higher privilege.
- Using the sysprep.exe system utility and DLL side-loading to bypass UAC in Windows 7 and 8: Lib30.ps1 is used to execute this bypass. Simliar to lib207.ps1 this PowerShell script is also XOR encrypted but using different key (0x02).
Figure 9 shows PowerShell commands after decryption. The process starts by creating a batch file (cmd.bat) in the "Windows/Temp" directory. In the next step, a cab archive file is created containing a DLL (CRYPTBASE.dll for Windows 7 or shcore.dll for Windows 8. Then this cab file is extracted into the C:\Windows\System32\Sysprep directory using wusa.exe.
At the end, the sysprep.exe system utility launches which side loads the CRYPTBASE.dll for Windows 7 or shcore.dll for Windows 8. This DLL executes the created cmd.bat file which leads to executing it with a high privilege.
After bypassing UAC, in all OS versions the next stage payload is downloaded and executed (lib106.ps1).
This stage performs the following actions:
- Creates a vbs file (cu.vbs) in ProgramFiles directory and makes this multi-stage attack persistence by adding this vbs file to HKLM\Software\Microsoft\Windows\CurrentVersion\Run registry key.
- Makes vbs file hidden using "Attrib.exe +h" command.
- Downloads and executes the final stage (updater.ps1) using PowerShell.
The final stage (updater.ps1) is executing Cobalt Strike in PowerShell context. In fact this PowerShell script is PowerShell variant of Cobalt Strike.
The Cobalt Strike ShellCode is base64 encoded and XOR encrypted using 35 key. After decoding and decrypting the ShellCode it allocates it into memory using VirtualAlloc and finally execute it by calling Invoke function.
Kazakhstan in the news
Kazakhstan has been in the news recently for taking over China in the cryptomining industry, depleting its own electric resources. The energy-rich country is a very important ally for Russia in particular with lucrative joint oil and gas ventures.
Other than their GitHub profile, we do not have much information on the threat actor or their exact intention with this attack. However, monitoring and espionage are a likely motive.
Malwarebytes users were protected thanks to the Anti-Exploit layer of our product.