At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR and therefore completely stopped the attack.
Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C server.
At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR and therefore completely stopped the attack.
Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C server.
At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR and therefore completely stopped the attack.
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C server.
At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR and therefore completely stopped the attack.
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C server.
At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR and therefore completely stopped the attack.
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C server.
At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR and therefore completely stopped the attack.
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C server.
At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR and therefore completely stopped the attack.
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and Control (C&C) configurations. Running each of them would show a different decoy document.
JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C server.
At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR and therefore completely stopped the attack.
Copy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.
Copy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).
Look for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.
Decode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to “o423DFDS4.tmp”.
Decompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using “expand.exe -F:*” (Figure 3) .
Copy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.
Execute the JS file by calling Wscript.
Open the decoy document.
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and Control (C&C) configurations. Running each of them would show a different decoy document.
JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C server.
At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR and therefore completely stopped the attack.
The LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded compressed payload. Here is the list of commands that will be executed:
Copy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.
Copy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).
Look for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.
Decode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to “o423DFDS4.tmp”.
Decompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using “expand.exe -F:*” (Figure 3) .
Copy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.
Execute the JS file by calling Wscript.
Open the decoy document.
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and Control (C&C) configurations. Running each of them would show a different decoy document.
JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C server.
At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR and therefore completely stopped the attack.
This post was authored by Hossein Jazi and Jérôme Segura
On May 29th, we identified an attack that we believe is part of a new campaign from an Advanced Persistent Threat actor known as Higaisa. The Higaisa APT is believed to be tied to the Korean peninsula, and was first disclosed by Tencent Security Threat Intelligence Center in early 2019.
The group’s activities go back to at least 2016 and include the use of Trojans such as Gh0st and PlugX, as well as mobile malware. Its targets include government officials and human rights organizations, as well as other entities related to North Korea.
In this latest incident, Higaisa used a malicious shortcut file ultimately responsible for creating a multi-stage attack that consists of several malicious scripts, payloads and decoy PDF documents.
Distribution
The threat actors used a malicious LNK file bundled within an archive file which was most likely distributed via spear-phishing.
We were able to identify two variants of this campaign that possibly have been distributed between May 12th and 31st:
“CV_Colliers.rar”
“Project link and New copyright policy.rar”
Both RAR archives bundle two malicious LNK files. In the newer variant (CV_Colliers.rar), the LNK files are disguised as a Curriculum Vitae (CV) and International English Language Testing System (IELTS) exam results. The older one (Project link and New copyright policy.rar) seems to target product teams that are using zeplin.io.
The following shows the overall process flow when executing the malicious LNK file.
LNK file
The LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded compressed payload. Here is the list of commands that will be executed:
Copy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.
Copy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).
Look for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.
Decode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to “o423DFDS4.tmp”.
Decompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using “expand.exe -F:*” (Figure 3) .
Copy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.
Execute the JS file by calling Wscript.
Open the decoy document.
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and Control (C&C) configurations. Running each of them would show a different decoy document.
JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C server.
At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR and therefore completely stopped the attack.
Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C server.
At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR and therefore completely stopped the attack.
This post was authored by Hossein Jazi and Jérôme Segura
On May 29th, we identified an attack that we believe is part of a new campaign from an Advanced Persistent Threat actor known as Higaisa. The Higaisa APT is believed to be tied to the Korean peninsula, and was first disclosed by Tencent Security Threat Intelligence Center in early 2019.
The group’s activities go back to at least 2016 and include the use of Trojans such as Gh0st and PlugX, as well as mobile malware. Its targets include government officials and human rights organizations, as well as other entities related to North Korea.
In this latest incident, Higaisa used a malicious shortcut file ultimately responsible for creating a multi-stage attack that consists of several malicious scripts, payloads and decoy PDF documents.
Distribution
The threat actors used a malicious LNK file bundled within an archive file which was most likely distributed via spear-phishing.
We were able to identify two variants of this campaign that possibly have been distributed between May 12th and 31st:
“CV_Colliers.rar”
“Project link and New copyright policy.rar”
Both RAR archives bundle two malicious LNK files. In the newer variant (CV_Colliers.rar), the LNK files are disguised as a Curriculum Vitae (CV) and International English Language Testing System (IELTS) exam results. The older one (Project link and New copyright policy.rar) seems to target product teams that are using zeplin.io.
The following shows the overall process flow when executing the malicious LNK file.
LNK file
The LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded compressed payload. Here is the list of commands that will be executed:
Copy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.
Copy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).
Look for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.
Decode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to “o423DFDS4.tmp”.
Decompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using “expand.exe -F:*” (Figure 3) .
Copy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.
Execute the JS file by calling Wscript.
Open the decoy document.
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and Control (C&C) configurations. Running each of them would show a different decoy document.
JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C server.
At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR and therefore completely stopped the attack.
Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C server.
At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR and therefore completely stopped the attack.
This post was authored by Hossein Jazi and Jérôme Segura
On May 29th, we identified an attack that we believe is part of a new campaign from an Advanced Persistent Threat actor known as Higaisa. The Higaisa APT is believed to be tied to the Korean peninsula, and was first disclosed by Tencent Security Threat Intelligence Center in early 2019.
The group’s activities go back to at least 2016 and include the use of Trojans such as Gh0st and PlugX, as well as mobile malware. Its targets include government officials and human rights organizations, as well as other entities related to North Korea.
In this latest incident, Higaisa used a malicious shortcut file ultimately responsible for creating a multi-stage attack that consists of several malicious scripts, payloads and decoy PDF documents.
Distribution
The threat actors used a malicious LNK file bundled within an archive file which was most likely distributed via spear-phishing.
We were able to identify two variants of this campaign that possibly have been distributed between May 12th and 31st:
“CV_Colliers.rar”
“Project link and New copyright policy.rar”
Both RAR archives bundle two malicious LNK files. In the newer variant (CV_Colliers.rar), the LNK files are disguised as a Curriculum Vitae (CV) and International English Language Testing System (IELTS) exam results. The older one (Project link and New copyright policy.rar) seems to target product teams that are using zeplin.io.
The following shows the overall process flow when executing the malicious LNK file.
LNK file
The LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded compressed payload. Here is the list of commands that will be executed:
Copy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.
Copy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).
Look for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.
Decode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to “o423DFDS4.tmp”.
Decompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using “expand.exe -F:*” (Figure 3) .
Copy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.
Execute the JS file by calling Wscript.
Open the decoy document.
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and Control (C&C) configurations. Running each of them would show a different decoy document.
JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C server.
At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR and therefore completely stopped the attack.
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C server.
At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR and therefore completely stopped the attack.
This post was authored by Hossein Jazi and Jérôme Segura
On May 29th, we identified an attack that we believe is part of a new campaign from an Advanced Persistent Threat actor known as Higaisa. The Higaisa APT is believed to be tied to the Korean peninsula, and was first disclosed by Tencent Security Threat Intelligence Center in early 2019.
The group’s activities go back to at least 2016 and include the use of Trojans such as Gh0st and PlugX, as well as mobile malware. Its targets include government officials and human rights organizations, as well as other entities related to North Korea.
In this latest incident, Higaisa used a malicious shortcut file ultimately responsible for creating a multi-stage attack that consists of several malicious scripts, payloads and decoy PDF documents.
Distribution
The threat actors used a malicious LNK file bundled within an archive file which was most likely distributed via spear-phishing.
We were able to identify two variants of this campaign that possibly have been distributed between May 12th and 31st:
“CV_Colliers.rar”
“Project link and New copyright policy.rar”
Both RAR archives bundle two malicious LNK files. In the newer variant (CV_Colliers.rar), the LNK files are disguised as a Curriculum Vitae (CV) and International English Language Testing System (IELTS) exam results. The older one (Project link and New copyright policy.rar) seems to target product teams that are using zeplin.io.
The following shows the overall process flow when executing the malicious LNK file.
LNK file
The LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded compressed payload. Here is the list of commands that will be executed:
Copy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.
Copy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).
Look for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.
Decode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to “o423DFDS4.tmp”.
Decompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using “expand.exe -F:*” (Figure 3) .
Copy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.
Execute the JS file by calling Wscript.
Open the decoy document.
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and Control (C&C) configurations. Running each of them would show a different decoy document.
JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C server.
At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR and therefore completely stopped the attack.
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C server.
At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR and therefore completely stopped the attack.
This post was authored by Hossein Jazi and Jérôme Segura
On May 29th, we identified an attack that we believe is part of a new campaign from an Advanced Persistent Threat actor known as Higaisa. The Higaisa APT is believed to be tied to the Korean peninsula, and was first disclosed by Tencent Security Threat Intelligence Center in early 2019.
The group’s activities go back to at least 2016 and include the use of Trojans such as Gh0st and PlugX, as well as mobile malware. Its targets include government officials and human rights organizations, as well as other entities related to North Korea.
In this latest incident, Higaisa used a malicious shortcut file ultimately responsible for creating a multi-stage attack that consists of several malicious scripts, payloads and decoy PDF documents.
Distribution
The threat actors used a malicious LNK file bundled within an archive file which was most likely distributed via spear-phishing.
We were able to identify two variants of this campaign that possibly have been distributed between May 12th and 31st:
“CV_Colliers.rar”
“Project link and New copyright policy.rar”
Both RAR archives bundle two malicious LNK files. In the newer variant (CV_Colliers.rar), the LNK files are disguised as a Curriculum Vitae (CV) and International English Language Testing System (IELTS) exam results. The older one (Project link and New copyright policy.rar) seems to target product teams that are using zeplin.io.
The following shows the overall process flow when executing the malicious LNK file.
LNK file
The LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded compressed payload. Here is the list of commands that will be executed:
Copy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.
Copy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).
Look for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.
Decode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to “o423DFDS4.tmp”.
Decompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using “expand.exe -F:*” (Figure 3) .
Copy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.
Execute the JS file by calling Wscript.
Open the decoy document.
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and Control (C&C) configurations. Running each of them would show a different decoy document.
JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C server.
At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR and therefore completely stopped the attack.
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C server.
At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR and therefore completely stopped the attack.
This post was authored by Hossein Jazi and Jérôme Segura
On May 29th, we identified an attack that we believe is part of a new campaign from an Advanced Persistent Threat actor known as Higaisa. The Higaisa APT is believed to be tied to the Korean peninsula, and was first disclosed by Tencent Security Threat Intelligence Center in early 2019.
The group’s activities go back to at least 2016 and include the use of Trojans such as Gh0st and PlugX, as well as mobile malware. Its targets include government officials and human rights organizations, as well as other entities related to North Korea.
In this latest incident, Higaisa used a malicious shortcut file ultimately responsible for creating a multi-stage attack that consists of several malicious scripts, payloads and decoy PDF documents.
Distribution
The threat actors used a malicious LNK file bundled within an archive file which was most likely distributed via spear-phishing.
We were able to identify two variants of this campaign that possibly have been distributed between May 12th and 31st:
“CV_Colliers.rar”
“Project link and New copyright policy.rar”
Both RAR archives bundle two malicious LNK files. In the newer variant (CV_Colliers.rar), the LNK files are disguised as a Curriculum Vitae (CV) and International English Language Testing System (IELTS) exam results. The older one (Project link and New copyright policy.rar) seems to target product teams that are using zeplin.io.
The following shows the overall process flow when executing the malicious LNK file.
LNK file
The LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded compressed payload. Here is the list of commands that will be executed:
Copy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.
Copy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).
Look for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.
Decode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to “o423DFDS4.tmp”.
Decompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using “expand.exe -F:*” (Figure 3) .
Copy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.
Execute the JS file by calling Wscript.
Open the decoy document.
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and Control (C&C) configurations. Running each of them would show a different decoy document.
JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C server.
At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR and therefore completely stopped the attack.
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C server.
At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR and therefore completely stopped the attack.
This post was authored by Hossein Jazi and Jérôme Segura
On May 29th, we identified an attack that we believe is part of a new campaign from an Advanced Persistent Threat actor known as Higaisa. The Higaisa APT is believed to be tied to the Korean peninsula, and was first disclosed by Tencent Security Threat Intelligence Center in early 2019.
The group’s activities go back to at least 2016 and include the use of Trojans such as Gh0st and PlugX, as well as mobile malware. Its targets include government officials and human rights organizations, as well as other entities related to North Korea.
In this latest incident, Higaisa used a malicious shortcut file ultimately responsible for creating a multi-stage attack that consists of several malicious scripts, payloads and decoy PDF documents.
Distribution
The threat actors used a malicious LNK file bundled within an archive file which was most likely distributed via spear-phishing.
We were able to identify two variants of this campaign that possibly have been distributed between May 12th and 31st:
“CV_Colliers.rar”
“Project link and New copyright policy.rar”
Both RAR archives bundle two malicious LNK files. In the newer variant (CV_Colliers.rar), the LNK files are disguised as a Curriculum Vitae (CV) and International English Language Testing System (IELTS) exam results. The older one (Project link and New copyright policy.rar) seems to target product teams that are using zeplin.io.
The following shows the overall process flow when executing the malicious LNK file.
LNK file
The LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded compressed payload. Here is the list of commands that will be executed:
Copy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.
Copy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).
Look for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.
Decode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to “o423DFDS4.tmp”.
Decompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using “expand.exe -F:*” (Figure 3) .
Copy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.
Execute the JS file by calling Wscript.
Open the decoy document.
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and Control (C&C) configurations. Running each of them would show a different decoy document.
JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C server.
At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR and therefore completely stopped the attack.
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and Control (C&C) configurations. Running each of them would show a different decoy document.
JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C server.
At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR and therefore completely stopped the attack.
This post was authored by Hossein Jazi and Jérôme Segura
On May 29th, we identified an attack that we believe is part of a new campaign from an Advanced Persistent Threat actor known as Higaisa. The Higaisa APT is believed to be tied to the Korean peninsula, and was first disclosed by Tencent Security Threat Intelligence Center in early 2019.
The group’s activities go back to at least 2016 and include the use of Trojans such as Gh0st and PlugX, as well as mobile malware. Its targets include government officials and human rights organizations, as well as other entities related to North Korea.
In this latest incident, Higaisa used a malicious shortcut file ultimately responsible for creating a multi-stage attack that consists of several malicious scripts, payloads and decoy PDF documents.
Distribution
The threat actors used a malicious LNK file bundled within an archive file which was most likely distributed via spear-phishing.
We were able to identify two variants of this campaign that possibly have been distributed between May 12th and 31st:
“CV_Colliers.rar”
“Project link and New copyright policy.rar”
Both RAR archives bundle two malicious LNK files. In the newer variant (CV_Colliers.rar), the LNK files are disguised as a Curriculum Vitae (CV) and International English Language Testing System (IELTS) exam results. The older one (Project link and New copyright policy.rar) seems to target product teams that are using zeplin.io.
The following shows the overall process flow when executing the malicious LNK file.
LNK file
The LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded compressed payload. Here is the list of commands that will be executed:
Copy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.
Copy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).
Look for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.
Decode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to “o423DFDS4.tmp”.
Decompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using “expand.exe -F:*” (Figure 3) .
Copy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.
Execute the JS file by calling Wscript.
Open the decoy document.
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and Control (C&C) configurations. Running each of them would show a different decoy document.
JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C server.
At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR and therefore completely stopped the attack.
Copy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.
Copy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).
Look for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.
Decode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to “o423DFDS4.tmp”.
Decompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using “expand.exe -F:*” (Figure 3) .
Copy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.
Execute the JS file by calling Wscript.
Open the decoy document.
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and Control (C&C) configurations. Running each of them would show a different decoy document.
JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C server.
At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR and therefore completely stopped the attack.
This post was authored by Hossein Jazi and Jérôme Segura
On May 29th, we identified an attack that we believe is part of a new campaign from an Advanced Persistent Threat actor known as Higaisa. The Higaisa APT is believed to be tied to the Korean peninsula, and was first disclosed by Tencent Security Threat Intelligence Center in early 2019.
The group’s activities go back to at least 2016 and include the use of Trojans such as Gh0st and PlugX, as well as mobile malware. Its targets include government officials and human rights organizations, as well as other entities related to North Korea.
In this latest incident, Higaisa used a malicious shortcut file ultimately responsible for creating a multi-stage attack that consists of several malicious scripts, payloads and decoy PDF documents.
Distribution
The threat actors used a malicious LNK file bundled within an archive file which was most likely distributed via spear-phishing.
We were able to identify two variants of this campaign that possibly have been distributed between May 12th and 31st:
“CV_Colliers.rar”
“Project link and New copyright policy.rar”
Both RAR archives bundle two malicious LNK files. In the newer variant (CV_Colliers.rar), the LNK files are disguised as a Curriculum Vitae (CV) and International English Language Testing System (IELTS) exam results. The older one (Project link and New copyright policy.rar) seems to target product teams that are using zeplin.io.
The following shows the overall process flow when executing the malicious LNK file.
LNK file
The LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded compressed payload. Here is the list of commands that will be executed:
Copy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.
Copy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).
Look for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.
Decode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to “o423DFDS4.tmp”.
Decompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using “expand.exe -F:*” (Figure 3) .
Copy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.
Execute the JS file by calling Wscript.
Open the decoy document.
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and Control (C&C) configurations. Running each of them would show a different decoy document.
JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C server.
At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR and therefore completely stopped the attack.
The LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded compressed payload. Here is the list of commands that will be executed:
Copy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.
Copy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).
Look for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.
Decode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to “o423DFDS4.tmp”.
Decompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using “expand.exe -F:*” (Figure 3) .
Copy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.
Execute the JS file by calling Wscript.
Open the decoy document.
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and Control (C&C) configurations. Running each of them would show a different decoy document.
JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C server.
At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR and therefore completely stopped the attack.
This post was authored by Hossein Jazi and Jérôme Segura
On May 29th, we identified an attack that we believe is part of a new campaign from an Advanced Persistent Threat actor known as Higaisa. The Higaisa APT is believed to be tied to the Korean peninsula, and was first disclosed by Tencent Security Threat Intelligence Center in early 2019.
The group’s activities go back to at least 2016 and include the use of Trojans such as Gh0st and PlugX, as well as mobile malware. Its targets include government officials and human rights organizations, as well as other entities related to North Korea.
In this latest incident, Higaisa used a malicious shortcut file ultimately responsible for creating a multi-stage attack that consists of several malicious scripts, payloads and decoy PDF documents.
Distribution
The threat actors used a malicious LNK file bundled within an archive file which was most likely distributed via spear-phishing.
We were able to identify two variants of this campaign that possibly have been distributed between May 12th and 31st:
“CV_Colliers.rar”
“Project link and New copyright policy.rar”
Both RAR archives bundle two malicious LNK files. In the newer variant (CV_Colliers.rar), the LNK files are disguised as a Curriculum Vitae (CV) and International English Language Testing System (IELTS) exam results. The older one (Project link and New copyright policy.rar) seems to target product teams that are using zeplin.io.
The following shows the overall process flow when executing the malicious LNK file.
LNK file
The LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded compressed payload. Here is the list of commands that will be executed:
Copy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.
Copy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).
Look for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.
Decode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to “o423DFDS4.tmp”.
Decompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using “expand.exe -F:*” (Figure 3) .
Copy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.
Execute the JS file by calling Wscript.
Open the decoy document.
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and Control (C&C) configurations. Running each of them would show a different decoy document.
JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C server.
At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR and therefore completely stopped the attack.
Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C server.
At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR and therefore completely stopped the attack.
The LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded compressed payload. Here is the list of commands that will be executed:
Copy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.
Copy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).
Look for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.
Decode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to “o423DFDS4.tmp”.
Decompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using “expand.exe -F:*” (Figure 3) .
Copy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.
Execute the JS file by calling Wscript.
Open the decoy document.
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and Control (C&C) configurations. Running each of them would show a different decoy document.
JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C server.
At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR and therefore completely stopped the attack.
This post was authored by Hossein Jazi and Jérôme Segura
On May 29th, we identified an attack that we believe is part of a new campaign from an Advanced Persistent Threat actor known as Higaisa. The Higaisa APT is believed to be tied to the Korean peninsula, and was first disclosed by Tencent Security Threat Intelligence Center in early 2019.
The group’s activities go back to at least 2016 and include the use of Trojans such as Gh0st and PlugX, as well as mobile malware. Its targets include government officials and human rights organizations, as well as other entities related to North Korea.
In this latest incident, Higaisa used a malicious shortcut file ultimately responsible for creating a multi-stage attack that consists of several malicious scripts, payloads and decoy PDF documents.
Distribution
The threat actors used a malicious LNK file bundled within an archive file which was most likely distributed via spear-phishing.
We were able to identify two variants of this campaign that possibly have been distributed between May 12th and 31st:
“CV_Colliers.rar”
“Project link and New copyright policy.rar”
Both RAR archives bundle two malicious LNK files. In the newer variant (CV_Colliers.rar), the LNK files are disguised as a Curriculum Vitae (CV) and International English Language Testing System (IELTS) exam results. The older one (Project link and New copyright policy.rar) seems to target product teams that are using zeplin.io.
The following shows the overall process flow when executing the malicious LNK file.
LNK file
The LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded compressed payload. Here is the list of commands that will be executed:
Copy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.
Copy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).
Look for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.
Decode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to “o423DFDS4.tmp”.
Decompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using “expand.exe -F:*” (Figure 3) .
Copy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.
Execute the JS file by calling Wscript.
Open the decoy document.
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and Control (C&C) configurations. Running each of them would show a different decoy document.
JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C server.
At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR and therefore completely stopped the attack.
Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C server.
At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR and therefore completely stopped the attack.
The LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded compressed payload. Here is the list of commands that will be executed:
Copy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.
Copy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).
Look for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.
Decode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to “o423DFDS4.tmp”.
Decompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using “expand.exe -F:*” (Figure 3) .
Copy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.
Execute the JS file by calling Wscript.
Open the decoy document.
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and Control (C&C) configurations. Running each of them would show a different decoy document.
JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C server.
At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR and therefore completely stopped the attack.
This post was authored by Hossein Jazi and Jérôme Segura
On May 29th, we identified an attack that we believe is part of a new campaign from an Advanced Persistent Threat actor known as Higaisa. The Higaisa APT is believed to be tied to the Korean peninsula, and was first disclosed by Tencent Security Threat Intelligence Center in early 2019.
The group’s activities go back to at least 2016 and include the use of Trojans such as Gh0st and PlugX, as well as mobile malware. Its targets include government officials and human rights organizations, as well as other entities related to North Korea.
In this latest incident, Higaisa used a malicious shortcut file ultimately responsible for creating a multi-stage attack that consists of several malicious scripts, payloads and decoy PDF documents.
Distribution
The threat actors used a malicious LNK file bundled within an archive file which was most likely distributed via spear-phishing.
We were able to identify two variants of this campaign that possibly have been distributed between May 12th and 31st:
“CV_Colliers.rar”
“Project link and New copyright policy.rar”
Both RAR archives bundle two malicious LNK files. In the newer variant (CV_Colliers.rar), the LNK files are disguised as a Curriculum Vitae (CV) and International English Language Testing System (IELTS) exam results. The older one (Project link and New copyright policy.rar) seems to target product teams that are using zeplin.io.
The following shows the overall process flow when executing the malicious LNK file.
LNK file
The LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded compressed payload. Here is the list of commands that will be executed:
Copy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.
Copy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).
Look for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.
Decode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to “o423DFDS4.tmp”.
Decompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using “expand.exe -F:*” (Figure 3) .
Copy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.
Execute the JS file by calling Wscript.
Open the decoy document.
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and Control (C&C) configurations. Running each of them would show a different decoy document.
JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C server.
At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR and therefore completely stopped the attack.
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C server.
At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR and therefore completely stopped the attack.
The LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded compressed payload. Here is the list of commands that will be executed:
Copy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.
Copy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).
Look for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.
Decode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to “o423DFDS4.tmp”.
Decompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using “expand.exe -F:*” (Figure 3) .
Copy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.
Execute the JS file by calling Wscript.
Open the decoy document.
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and Control (C&C) configurations. Running each of them would show a different decoy document.
JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C server.
At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR and therefore completely stopped the attack.
This post was authored by Hossein Jazi and Jérôme Segura
On May 29th, we identified an attack that we believe is part of a new campaign from an Advanced Persistent Threat actor known as Higaisa. The Higaisa APT is believed to be tied to the Korean peninsula, and was first disclosed by Tencent Security Threat Intelligence Center in early 2019.
The group’s activities go back to at least 2016 and include the use of Trojans such as Gh0st and PlugX, as well as mobile malware. Its targets include government officials and human rights organizations, as well as other entities related to North Korea.
In this latest incident, Higaisa used a malicious shortcut file ultimately responsible for creating a multi-stage attack that consists of several malicious scripts, payloads and decoy PDF documents.
Distribution
The threat actors used a malicious LNK file bundled within an archive file which was most likely distributed via spear-phishing.
We were able to identify two variants of this campaign that possibly have been distributed between May 12th and 31st:
“CV_Colliers.rar”
“Project link and New copyright policy.rar”
Both RAR archives bundle two malicious LNK files. In the newer variant (CV_Colliers.rar), the LNK files are disguised as a Curriculum Vitae (CV) and International English Language Testing System (IELTS) exam results. The older one (Project link and New copyright policy.rar) seems to target product teams that are using zeplin.io.
The following shows the overall process flow when executing the malicious LNK file.
LNK file
The LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded compressed payload. Here is the list of commands that will be executed:
Copy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.
Copy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).
Look for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.
Decode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to “o423DFDS4.tmp”.
Decompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using “expand.exe -F:*” (Figure 3) .
Copy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.
Execute the JS file by calling Wscript.
Open the decoy document.
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and Control (C&C) configurations. Running each of them would show a different decoy document.
JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C server.
At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR and therefore completely stopped the attack.
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C server.
At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR and therefore completely stopped the attack.
The LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded compressed payload. Here is the list of commands that will be executed:
Copy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.
Copy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).
Look for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.
Decode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to “o423DFDS4.tmp”.
Decompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using “expand.exe -F:*” (Figure 3) .
Copy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.
Execute the JS file by calling Wscript.
Open the decoy document.
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and Control (C&C) configurations. Running each of them would show a different decoy document.
JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C server.
At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR and therefore completely stopped the attack.
This post was authored by Hossein Jazi and Jérôme Segura
On May 29th, we identified an attack that we believe is part of a new campaign from an Advanced Persistent Threat actor known as Higaisa. The Higaisa APT is believed to be tied to the Korean peninsula, and was first disclosed by Tencent Security Threat Intelligence Center in early 2019.
The group’s activities go back to at least 2016 and include the use of Trojans such as Gh0st and PlugX, as well as mobile malware. Its targets include government officials and human rights organizations, as well as other entities related to North Korea.
In this latest incident, Higaisa used a malicious shortcut file ultimately responsible for creating a multi-stage attack that consists of several malicious scripts, payloads and decoy PDF documents.
Distribution
The threat actors used a malicious LNK file bundled within an archive file which was most likely distributed via spear-phishing.
We were able to identify two variants of this campaign that possibly have been distributed between May 12th and 31st:
“CV_Colliers.rar”
“Project link and New copyright policy.rar”
Both RAR archives bundle two malicious LNK files. In the newer variant (CV_Colliers.rar), the LNK files are disguised as a Curriculum Vitae (CV) and International English Language Testing System (IELTS) exam results. The older one (Project link and New copyright policy.rar) seems to target product teams that are using zeplin.io.
The following shows the overall process flow when executing the malicious LNK file.
LNK file
The LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded compressed payload. Here is the list of commands that will be executed:
Copy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.
Copy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).
Look for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.
Decode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to “o423DFDS4.tmp”.
Decompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using “expand.exe -F:*” (Figure 3) .
Copy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.
Execute the JS file by calling Wscript.
Open the decoy document.
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and Control (C&C) configurations. Running each of them would show a different decoy document.
JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C server.
At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR and therefore completely stopped the attack.
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C server.
At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR and therefore completely stopped the attack.
The LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded compressed payload. Here is the list of commands that will be executed:
Copy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.
Copy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).
Look for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.
Decode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to “o423DFDS4.tmp”.
Decompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using “expand.exe -F:*” (Figure 3) .
Copy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.
Execute the JS file by calling Wscript.
Open the decoy document.
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and Control (C&C) configurations. Running each of them would show a different decoy document.
JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C server.
At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR and therefore completely stopped the attack.
This post was authored by Hossein Jazi and Jérôme Segura
On May 29th, we identified an attack that we believe is part of a new campaign from an Advanced Persistent Threat actor known as Higaisa. The Higaisa APT is believed to be tied to the Korean peninsula, and was first disclosed by Tencent Security Threat Intelligence Center in early 2019.
The group’s activities go back to at least 2016 and include the use of Trojans such as Gh0st and PlugX, as well as mobile malware. Its targets include government officials and human rights organizations, as well as other entities related to North Korea.
In this latest incident, Higaisa used a malicious shortcut file ultimately responsible for creating a multi-stage attack that consists of several malicious scripts, payloads and decoy PDF documents.
Distribution
The threat actors used a malicious LNK file bundled within an archive file which was most likely distributed via spear-phishing.
We were able to identify two variants of this campaign that possibly have been distributed between May 12th and 31st:
“CV_Colliers.rar”
“Project link and New copyright policy.rar”
Both RAR archives bundle two malicious LNK files. In the newer variant (CV_Colliers.rar), the LNK files are disguised as a Curriculum Vitae (CV) and International English Language Testing System (IELTS) exam results. The older one (Project link and New copyright policy.rar) seems to target product teams that are using zeplin.io.
The following shows the overall process flow when executing the malicious LNK file.
LNK file
The LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded compressed payload. Here is the list of commands that will be executed:
Copy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.
Copy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).
Look for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.
Decode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to “o423DFDS4.tmp”.
Decompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using “expand.exe -F:*” (Figure 3) .
Copy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.
Execute the JS file by calling Wscript.
Open the decoy document.
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and Control (C&C) configurations. Running each of them would show a different decoy document.
JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C server.
At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR and therefore completely stopped the attack.
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C server.
At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR and therefore completely stopped the attack.
The LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded compressed payload. Here is the list of commands that will be executed:
Copy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.
Copy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).
Look for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.
Decode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to “o423DFDS4.tmp”.
Decompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using “expand.exe -F:*” (Figure 3) .
Copy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.
Execute the JS file by calling Wscript.
Open the decoy document.
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and Control (C&C) configurations. Running each of them would show a different decoy document.
JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C server.
At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR and therefore completely stopped the attack.
This post was authored by Hossein Jazi and Jérôme Segura
On May 29th, we identified an attack that we believe is part of a new campaign from an Advanced Persistent Threat actor known as Higaisa. The Higaisa APT is believed to be tied to the Korean peninsula, and was first disclosed by Tencent Security Threat Intelligence Center in early 2019.
The group’s activities go back to at least 2016 and include the use of Trojans such as Gh0st and PlugX, as well as mobile malware. Its targets include government officials and human rights organizations, as well as other entities related to North Korea.
In this latest incident, Higaisa used a malicious shortcut file ultimately responsible for creating a multi-stage attack that consists of several malicious scripts, payloads and decoy PDF documents.
Distribution
The threat actors used a malicious LNK file bundled within an archive file which was most likely distributed via spear-phishing.
We were able to identify two variants of this campaign that possibly have been distributed between May 12th and 31st:
“CV_Colliers.rar”
“Project link and New copyright policy.rar”
Both RAR archives bundle two malicious LNK files. In the newer variant (CV_Colliers.rar), the LNK files are disguised as a Curriculum Vitae (CV) and International English Language Testing System (IELTS) exam results. The older one (Project link and New copyright policy.rar) seems to target product teams that are using zeplin.io.
The following shows the overall process flow when executing the malicious LNK file.
LNK file
The LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded compressed payload. Here is the list of commands that will be executed:
Copy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.
Copy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).
Look for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.
Decode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to “o423DFDS4.tmp”.
Decompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using “expand.exe -F:*” (Figure 3) .
Copy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.
Execute the JS file by calling Wscript.
Open the decoy document.
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and Control (C&C) configurations. Running each of them would show a different decoy document.
JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C server.
At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR and therefore completely stopped the attack.
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and Control (C&C) configurations. Running each of them would show a different decoy document.
JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C server.
At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR and therefore completely stopped the attack.
The LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded compressed payload. Here is the list of commands that will be executed:
Copy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.
Copy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).
Look for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.
Decode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to “o423DFDS4.tmp”.
Decompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using “expand.exe -F:*” (Figure 3) .
Copy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.
Execute the JS file by calling Wscript.
Open the decoy document.
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and Control (C&C) configurations. Running each of them would show a different decoy document.
JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C server.
At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR and therefore completely stopped the attack.
This post was authored by Hossein Jazi and Jérôme Segura
On May 29th, we identified an attack that we believe is part of a new campaign from an Advanced Persistent Threat actor known as Higaisa. The Higaisa APT is believed to be tied to the Korean peninsula, and was first disclosed by Tencent Security Threat Intelligence Center in early 2019.
The group’s activities go back to at least 2016 and include the use of Trojans such as Gh0st and PlugX, as well as mobile malware. Its targets include government officials and human rights organizations, as well as other entities related to North Korea.
In this latest incident, Higaisa used a malicious shortcut file ultimately responsible for creating a multi-stage attack that consists of several malicious scripts, payloads and decoy PDF documents.
Distribution
The threat actors used a malicious LNK file bundled within an archive file which was most likely distributed via spear-phishing.
We were able to identify two variants of this campaign that possibly have been distributed between May 12th and 31st:
“CV_Colliers.rar”
“Project link and New copyright policy.rar”
Both RAR archives bundle two malicious LNK files. In the newer variant (CV_Colliers.rar), the LNK files are disguised as a Curriculum Vitae (CV) and International English Language Testing System (IELTS) exam results. The older one (Project link and New copyright policy.rar) seems to target product teams that are using zeplin.io.
The following shows the overall process flow when executing the malicious LNK file.
LNK file
The LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded compressed payload. Here is the list of commands that will be executed:
Copy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.
Copy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).
Look for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.
Decode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to “o423DFDS4.tmp”.
Decompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using “expand.exe -F:*” (Figure 3) .
Copy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.
Execute the JS file by calling Wscript.
Open the decoy document.
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and Control (C&C) configurations. Running each of them would show a different decoy document.
JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C server.
At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR and therefore completely stopped the attack.
Copy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.
Copy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).
Look for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.
Decode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to “o423DFDS4.tmp”.
Decompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using “expand.exe -F:*” (Figure 3) .
Copy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.
Execute the JS file by calling Wscript.
Open the decoy document.
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and Control (C&C) configurations. Running each of them would show a different decoy document.
JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C server.
At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR and therefore completely stopped the attack.
The LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded compressed payload. Here is the list of commands that will be executed:
Copy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.
Copy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).
Look for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.
Decode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to “o423DFDS4.tmp”.
Decompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using “expand.exe -F:*” (Figure 3) .
Copy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.
Execute the JS file by calling Wscript.
Open the decoy document.
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and Control (C&C) configurations. Running each of them would show a different decoy document.
JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C server.
At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR and therefore completely stopped the attack.
This post was authored by Hossein Jazi and Jérôme Segura
On May 29th, we identified an attack that we believe is part of a new campaign from an Advanced Persistent Threat actor known as Higaisa. The Higaisa APT is believed to be tied to the Korean peninsula, and was first disclosed by Tencent Security Threat Intelligence Center in early 2019.
The group’s activities go back to at least 2016 and include the use of Trojans such as Gh0st and PlugX, as well as mobile malware. Its targets include government officials and human rights organizations, as well as other entities related to North Korea.
In this latest incident, Higaisa used a malicious shortcut file ultimately responsible for creating a multi-stage attack that consists of several malicious scripts, payloads and decoy PDF documents.
Distribution
The threat actors used a malicious LNK file bundled within an archive file which was most likely distributed via spear-phishing.
We were able to identify two variants of this campaign that possibly have been distributed between May 12th and 31st:
“CV_Colliers.rar”
“Project link and New copyright policy.rar”
Both RAR archives bundle two malicious LNK files. In the newer variant (CV_Colliers.rar), the LNK files are disguised as a Curriculum Vitae (CV) and International English Language Testing System (IELTS) exam results. The older one (Project link and New copyright policy.rar) seems to target product teams that are using zeplin.io.
The following shows the overall process flow when executing the malicious LNK file.
LNK file
The LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded compressed payload. Here is the list of commands that will be executed:
Copy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.
Copy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).
Look for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.
Decode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to “o423DFDS4.tmp”.
Decompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using “expand.exe -F:*” (Figure 3) .
Copy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.
Execute the JS file by calling Wscript.
Open the decoy document.
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and Control (C&C) configurations. Running each of them would show a different decoy document.
JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C server.
At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR and therefore completely stopped the attack.
Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C server.
At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR and therefore completely stopped the attack.
Copy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.
Copy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).
Look for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.
Decode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to “o423DFDS4.tmp”.
Decompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using “expand.exe -F:*” (Figure 3) .
Copy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.
Execute the JS file by calling Wscript.
Open the decoy document.
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and Control (C&C) configurations. Running each of them would show a different decoy document.
JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C server.
At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR and therefore completely stopped the attack.
The LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded compressed payload. Here is the list of commands that will be executed:
Copy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.
Copy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).
Look for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.
Decode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to “o423DFDS4.tmp”.
Decompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using “expand.exe -F:*” (Figure 3) .
Copy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.
Execute the JS file by calling Wscript.
Open the decoy document.
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and Control (C&C) configurations. Running each of them would show a different decoy document.
JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C server.
At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR and therefore completely stopped the attack.
This post was authored by Hossein Jazi and Jérôme Segura
On May 29th, we identified an attack that we believe is part of a new campaign from an Advanced Persistent Threat actor known as Higaisa. The Higaisa APT is believed to be tied to the Korean peninsula, and was first disclosed by Tencent Security Threat Intelligence Center in early 2019.
The group’s activities go back to at least 2016 and include the use of Trojans such as Gh0st and PlugX, as well as mobile malware. Its targets include government officials and human rights organizations, as well as other entities related to North Korea.
In this latest incident, Higaisa used a malicious shortcut file ultimately responsible for creating a multi-stage attack that consists of several malicious scripts, payloads and decoy PDF documents.
Distribution
The threat actors used a malicious LNK file bundled within an archive file which was most likely distributed via spear-phishing.
We were able to identify two variants of this campaign that possibly have been distributed between May 12th and 31st:
“CV_Colliers.rar”
“Project link and New copyright policy.rar”
Both RAR archives bundle two malicious LNK files. In the newer variant (CV_Colliers.rar), the LNK files are disguised as a Curriculum Vitae (CV) and International English Language Testing System (IELTS) exam results. The older one (Project link and New copyright policy.rar) seems to target product teams that are using zeplin.io.
The following shows the overall process flow when executing the malicious LNK file.
LNK file
The LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded compressed payload. Here is the list of commands that will be executed:
Copy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.
Copy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).
Look for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.
Decode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to “o423DFDS4.tmp”.
Decompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using “expand.exe -F:*” (Figure 3) .
Copy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.
Execute the JS file by calling Wscript.
Open the decoy document.
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and Control (C&C) configurations. Running each of them would show a different decoy document.
JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C server.
At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR and therefore completely stopped the attack.
Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C server.
At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR and therefore completely stopped the attack.
Copy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.
Copy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).
Look for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.
Decode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to “o423DFDS4.tmp”.
Decompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using “expand.exe -F:*” (Figure 3) .
Copy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.
Execute the JS file by calling Wscript.
Open the decoy document.
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and Control (C&C) configurations. Running each of them would show a different decoy document.
JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C server.
At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR and therefore completely stopped the attack.
The LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded compressed payload. Here is the list of commands that will be executed:
Copy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.
Copy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).
Look for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.
Decode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to “o423DFDS4.tmp”.
Decompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using “expand.exe -F:*” (Figure 3) .
Copy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.
Execute the JS file by calling Wscript.
Open the decoy document.
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and Control (C&C) configurations. Running each of them would show a different decoy document.
JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C server.
At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR and therefore completely stopped the attack.
This post was authored by Hossein Jazi and Jérôme Segura
On May 29th, we identified an attack that we believe is part of a new campaign from an Advanced Persistent Threat actor known as Higaisa. The Higaisa APT is believed to be tied to the Korean peninsula, and was first disclosed by Tencent Security Threat Intelligence Center in early 2019.
The group’s activities go back to at least 2016 and include the use of Trojans such as Gh0st and PlugX, as well as mobile malware. Its targets include government officials and human rights organizations, as well as other entities related to North Korea.
In this latest incident, Higaisa used a malicious shortcut file ultimately responsible for creating a multi-stage attack that consists of several malicious scripts, payloads and decoy PDF documents.
Distribution
The threat actors used a malicious LNK file bundled within an archive file which was most likely distributed via spear-phishing.
We were able to identify two variants of this campaign that possibly have been distributed between May 12th and 31st:
“CV_Colliers.rar”
“Project link and New copyright policy.rar”
Both RAR archives bundle two malicious LNK files. In the newer variant (CV_Colliers.rar), the LNK files are disguised as a Curriculum Vitae (CV) and International English Language Testing System (IELTS) exam results. The older one (Project link and New copyright policy.rar) seems to target product teams that are using zeplin.io.
The following shows the overall process flow when executing the malicious LNK file.
LNK file
The LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded compressed payload. Here is the list of commands that will be executed:
Copy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.
Copy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).
Look for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.
Decode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to “o423DFDS4.tmp”.
Decompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using “expand.exe -F:*” (Figure 3) .
Copy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.
Execute the JS file by calling Wscript.
Open the decoy document.
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and Control (C&C) configurations. Running each of them would show a different decoy document.
JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C server.
At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR and therefore completely stopped the attack.
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C server.
At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR and therefore completely stopped the attack.
Copy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.
Copy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).
Look for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.
Decode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to “o423DFDS4.tmp”.
Decompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using “expand.exe -F:*” (Figure 3) .
Copy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.
Execute the JS file by calling Wscript.
Open the decoy document.
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and Control (C&C) configurations. Running each of them would show a different decoy document.
JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C server.
At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR and therefore completely stopped the attack.
The LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded compressed payload. Here is the list of commands that will be executed:
Copy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.
Copy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).
Look for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.
Decode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to “o423DFDS4.tmp”.
Decompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using “expand.exe -F:*” (Figure 3) .
Copy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.
Execute the JS file by calling Wscript.
Open the decoy document.
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and Control (C&C) configurations. Running each of them would show a different decoy document.
JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C server.
At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR and therefore completely stopped the attack.
This post was authored by Hossein Jazi and Jérôme Segura
On May 29th, we identified an attack that we believe is part of a new campaign from an Advanced Persistent Threat actor known as Higaisa. The Higaisa APT is believed to be tied to the Korean peninsula, and was first disclosed by Tencent Security Threat Intelligence Center in early 2019.
The group’s activities go back to at least 2016 and include the use of Trojans such as Gh0st and PlugX, as well as mobile malware. Its targets include government officials and human rights organizations, as well as other entities related to North Korea.
In this latest incident, Higaisa used a malicious shortcut file ultimately responsible for creating a multi-stage attack that consists of several malicious scripts, payloads and decoy PDF documents.
Distribution
The threat actors used a malicious LNK file bundled within an archive file which was most likely distributed via spear-phishing.
We were able to identify two variants of this campaign that possibly have been distributed between May 12th and 31st:
“CV_Colliers.rar”
“Project link and New copyright policy.rar”
Both RAR archives bundle two malicious LNK files. In the newer variant (CV_Colliers.rar), the LNK files are disguised as a Curriculum Vitae (CV) and International English Language Testing System (IELTS) exam results. The older one (Project link and New copyright policy.rar) seems to target product teams that are using zeplin.io.
The following shows the overall process flow when executing the malicious LNK file.
LNK file
The LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded compressed payload. Here is the list of commands that will be executed:
Copy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.
Copy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).
Look for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.
Decode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to “o423DFDS4.tmp”.
Decompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using “expand.exe -F:*” (Figure 3) .
Copy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.
Execute the JS file by calling Wscript.
Open the decoy document.
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and Control (C&C) configurations. Running each of them would show a different decoy document.
JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C server.
At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR and therefore completely stopped the attack.
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C server.
At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR and therefore completely stopped the attack.
Copy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.
Copy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).
Look for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.
Decode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to “o423DFDS4.tmp”.
Decompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using “expand.exe -F:*” (Figure 3) .
Copy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.
Execute the JS file by calling Wscript.
Open the decoy document.
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and Control (C&C) configurations. Running each of them would show a different decoy document.
JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C server.
At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR and therefore completely stopped the attack.
The LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded compressed payload. Here is the list of commands that will be executed:
Copy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.
Copy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).
Look for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.
Decode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to “o423DFDS4.tmp”.
Decompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using “expand.exe -F:*” (Figure 3) .
Copy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.
Execute the JS file by calling Wscript.
Open the decoy document.
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and Control (C&C) configurations. Running each of them would show a different decoy document.
JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C server.
At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR and therefore completely stopped the attack.
This post was authored by Hossein Jazi and Jérôme Segura
On May 29th, we identified an attack that we believe is part of a new campaign from an Advanced Persistent Threat actor known as Higaisa. The Higaisa APT is believed to be tied to the Korean peninsula, and was first disclosed by Tencent Security Threat Intelligence Center in early 2019.
The group’s activities go back to at least 2016 and include the use of Trojans such as Gh0st and PlugX, as well as mobile malware. Its targets include government officials and human rights organizations, as well as other entities related to North Korea.
In this latest incident, Higaisa used a malicious shortcut file ultimately responsible for creating a multi-stage attack that consists of several malicious scripts, payloads and decoy PDF documents.
Distribution
The threat actors used a malicious LNK file bundled within an archive file which was most likely distributed via spear-phishing.
We were able to identify two variants of this campaign that possibly have been distributed between May 12th and 31st:
“CV_Colliers.rar”
“Project link and New copyright policy.rar”
Both RAR archives bundle two malicious LNK files. In the newer variant (CV_Colliers.rar), the LNK files are disguised as a Curriculum Vitae (CV) and International English Language Testing System (IELTS) exam results. The older one (Project link and New copyright policy.rar) seems to target product teams that are using zeplin.io.
The following shows the overall process flow when executing the malicious LNK file.
LNK file
The LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded compressed payload. Here is the list of commands that will be executed:
Copy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.
Copy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).
Look for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.
Decode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to “o423DFDS4.tmp”.
Decompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using “expand.exe -F:*” (Figure 3) .
Copy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.
Execute the JS file by calling Wscript.
Open the decoy document.
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and Control (C&C) configurations. Running each of them would show a different decoy document.
JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C server.
At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR and therefore completely stopped the attack.
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C server.
At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR and therefore completely stopped the attack.
Copy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.
Copy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).
Look for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.
Decode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to “o423DFDS4.tmp”.
Decompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using “expand.exe -F:*” (Figure 3) .
Copy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.
Execute the JS file by calling Wscript.
Open the decoy document.
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and Control (C&C) configurations. Running each of them would show a different decoy document.
JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C server.
At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR and therefore completely stopped the attack.
The LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded compressed payload. Here is the list of commands that will be executed:
Copy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.
Copy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).
Look for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.
Decode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to “o423DFDS4.tmp”.
Decompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using “expand.exe -F:*” (Figure 3) .
Copy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.
Execute the JS file by calling Wscript.
Open the decoy document.
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and Control (C&C) configurations. Running each of them would show a different decoy document.
JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C server.
At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR and therefore completely stopped the attack.
This post was authored by Hossein Jazi and Jérôme Segura
On May 29th, we identified an attack that we believe is part of a new campaign from an Advanced Persistent Threat actor known as Higaisa. The Higaisa APT is believed to be tied to the Korean peninsula, and was first disclosed by Tencent Security Threat Intelligence Center in early 2019.
The group’s activities go back to at least 2016 and include the use of Trojans such as Gh0st and PlugX, as well as mobile malware. Its targets include government officials and human rights organizations, as well as other entities related to North Korea.
In this latest incident, Higaisa used a malicious shortcut file ultimately responsible for creating a multi-stage attack that consists of several malicious scripts, payloads and decoy PDF documents.
Distribution
The threat actors used a malicious LNK file bundled within an archive file which was most likely distributed via spear-phishing.
We were able to identify two variants of this campaign that possibly have been distributed between May 12th and 31st:
“CV_Colliers.rar”
“Project link and New copyright policy.rar”
Both RAR archives bundle two malicious LNK files. In the newer variant (CV_Colliers.rar), the LNK files are disguised as a Curriculum Vitae (CV) and International English Language Testing System (IELTS) exam results. The older one (Project link and New copyright policy.rar) seems to target product teams that are using zeplin.io.
The following shows the overall process flow when executing the malicious LNK file.
LNK file
The LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded compressed payload. Here is the list of commands that will be executed:
Copy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.
Copy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).
Look for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.
Decode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to “o423DFDS4.tmp”.
Decompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using “expand.exe -F:*” (Figure 3) .
Copy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.
Execute the JS file by calling Wscript.
Open the decoy document.
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and Control (C&C) configurations. Running each of them would show a different decoy document.
JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C server.
At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR and therefore completely stopped the attack.
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C server.
At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR and therefore completely stopped the attack.
Copy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.
Copy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).
Look for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.
Decode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to “o423DFDS4.tmp”.
Decompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using “expand.exe -F:*” (Figure 3) .
Copy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.
Execute the JS file by calling Wscript.
Open the decoy document.
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and Control (C&C) configurations. Running each of them would show a different decoy document.
JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C server.
At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR and therefore completely stopped the attack.
The LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded compressed payload. Here is the list of commands that will be executed:
Copy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.
Copy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).
Look for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.
Decode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to “o423DFDS4.tmp”.
Decompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using “expand.exe -F:*” (Figure 3) .
Copy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.
Execute the JS file by calling Wscript.
Open the decoy document.
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and Control (C&C) configurations. Running each of them would show a different decoy document.
JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C server.
At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR and therefore completely stopped the attack.
This post was authored by Hossein Jazi and Jérôme Segura
On May 29th, we identified an attack that we believe is part of a new campaign from an Advanced Persistent Threat actor known as Higaisa. The Higaisa APT is believed to be tied to the Korean peninsula, and was first disclosed by Tencent Security Threat Intelligence Center in early 2019.
The group’s activities go back to at least 2016 and include the use of Trojans such as Gh0st and PlugX, as well as mobile malware. Its targets include government officials and human rights organizations, as well as other entities related to North Korea.
In this latest incident, Higaisa used a malicious shortcut file ultimately responsible for creating a multi-stage attack that consists of several malicious scripts, payloads and decoy PDF documents.
Distribution
The threat actors used a malicious LNK file bundled within an archive file which was most likely distributed via spear-phishing.
We were able to identify two variants of this campaign that possibly have been distributed between May 12th and 31st:
“CV_Colliers.rar”
“Project link and New copyright policy.rar”
Both RAR archives bundle two malicious LNK files. In the newer variant (CV_Colliers.rar), the LNK files are disguised as a Curriculum Vitae (CV) and International English Language Testing System (IELTS) exam results. The older one (Project link and New copyright policy.rar) seems to target product teams that are using zeplin.io.
The following shows the overall process flow when executing the malicious LNK file.
LNK file
The LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded compressed payload. Here is the list of commands that will be executed:
Copy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.
Copy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).
Look for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.
Decode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to “o423DFDS4.tmp”.
Decompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using “expand.exe -F:*” (Figure 3) .
Copy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.
Execute the JS file by calling Wscript.
Open the decoy document.
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and Control (C&C) configurations. Running each of them would show a different decoy document.
JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C server.
At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR and therefore completely stopped the attack.
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and Control (C&C) configurations. Running each of them would show a different decoy document.
JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C server.
At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR and therefore completely stopped the attack.
Copy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.
Copy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).
Look for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.
Decode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to “o423DFDS4.tmp”.
Decompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using “expand.exe -F:*” (Figure 3) .
Copy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.
Execute the JS file by calling Wscript.
Open the decoy document.
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and Control (C&C) configurations. Running each of them would show a different decoy document.
JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C server.
At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR and therefore completely stopped the attack.
The LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded compressed payload. Here is the list of commands that will be executed:
Copy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.
Copy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).
Look for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.
Decode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to “o423DFDS4.tmp”.
Decompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using “expand.exe -F:*” (Figure 3) .
Copy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.
Execute the JS file by calling Wscript.
Open the decoy document.
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and Control (C&C) configurations. Running each of them would show a different decoy document.
JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C server.
At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR and therefore completely stopped the attack.
This post was authored by Hossein Jazi and Jérôme Segura
On May 29th, we identified an attack that we believe is part of a new campaign from an Advanced Persistent Threat actor known as Higaisa. The Higaisa APT is believed to be tied to the Korean peninsula, and was first disclosed by Tencent Security Threat Intelligence Center in early 2019.
The group’s activities go back to at least 2016 and include the use of Trojans such as Gh0st and PlugX, as well as mobile malware. Its targets include government officials and human rights organizations, as well as other entities related to North Korea.
In this latest incident, Higaisa used a malicious shortcut file ultimately responsible for creating a multi-stage attack that consists of several malicious scripts, payloads and decoy PDF documents.
Distribution
The threat actors used a malicious LNK file bundled within an archive file which was most likely distributed via spear-phishing.
We were able to identify two variants of this campaign that possibly have been distributed between May 12th and 31st:
“CV_Colliers.rar”
“Project link and New copyright policy.rar”
Both RAR archives bundle two malicious LNK files. In the newer variant (CV_Colliers.rar), the LNK files are disguised as a Curriculum Vitae (CV) and International English Language Testing System (IELTS) exam results. The older one (Project link and New copyright policy.rar) seems to target product teams that are using zeplin.io.
The following shows the overall process flow when executing the malicious LNK file.
LNK file
The LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded compressed payload. Here is the list of commands that will be executed:
Copy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.
Copy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).
Look for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.
Decode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to “o423DFDS4.tmp”.
Decompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using “expand.exe -F:*” (Figure 3) .
Copy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.
Execute the JS file by calling Wscript.
Open the decoy document.
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and Control (C&C) configurations. Running each of them would show a different decoy document.
JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C server.
At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR and therefore completely stopped the attack.
Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C server.
At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR and therefore completely stopped the attack.
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and Control (C&C) configurations. Running each of them would show a different decoy document.
JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C server.
At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR and therefore completely stopped the attack.
Copy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.
Copy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).
Look for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.
Decode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to “o423DFDS4.tmp”.
Decompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using “expand.exe -F:*” (Figure 3) .
Copy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.
Execute the JS file by calling Wscript.
Open the decoy document.
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and Control (C&C) configurations. Running each of them would show a different decoy document.
JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C server.
At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR and therefore completely stopped the attack.
The LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded compressed payload. Here is the list of commands that will be executed:
Copy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.
Copy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).
Look for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.
Decode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to “o423DFDS4.tmp”.
Decompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using “expand.exe -F:*” (Figure 3) .
Copy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.
Execute the JS file by calling Wscript.
Open the decoy document.
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and Control (C&C) configurations. Running each of them would show a different decoy document.
JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C server.
At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR and therefore completely stopped the attack.
This post was authored by Hossein Jazi and Jérôme Segura
On May 29th, we identified an attack that we believe is part of a new campaign from an Advanced Persistent Threat actor known as Higaisa. The Higaisa APT is believed to be tied to the Korean peninsula, and was first disclosed by Tencent Security Threat Intelligence Center in early 2019.
The group’s activities go back to at least 2016 and include the use of Trojans such as Gh0st and PlugX, as well as mobile malware. Its targets include government officials and human rights organizations, as well as other entities related to North Korea.
In this latest incident, Higaisa used a malicious shortcut file ultimately responsible for creating a multi-stage attack that consists of several malicious scripts, payloads and decoy PDF documents.
Distribution
The threat actors used a malicious LNK file bundled within an archive file which was most likely distributed via spear-phishing.
We were able to identify two variants of this campaign that possibly have been distributed between May 12th and 31st:
“CV_Colliers.rar”
“Project link and New copyright policy.rar”
Both RAR archives bundle two malicious LNK files. In the newer variant (CV_Colliers.rar), the LNK files are disguised as a Curriculum Vitae (CV) and International English Language Testing System (IELTS) exam results. The older one (Project link and New copyright policy.rar) seems to target product teams that are using zeplin.io.
The following shows the overall process flow when executing the malicious LNK file.
LNK file
The LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded compressed payload. Here is the list of commands that will be executed:
Copy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.
Copy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).
Look for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.
Decode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to “o423DFDS4.tmp”.
Decompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using “expand.exe -F:*” (Figure 3) .
Copy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.
Execute the JS file by calling Wscript.
Open the decoy document.
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and Control (C&C) configurations. Running each of them would show a different decoy document.
JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C server.
At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR and therefore completely stopped the attack.
Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C server.
At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR and therefore completely stopped the attack.
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and Control (C&C) configurations. Running each of them would show a different decoy document.
JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C server.
At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR and therefore completely stopped the attack.
Copy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.
Copy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).
Look for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.
Decode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to “o423DFDS4.tmp”.
Decompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using “expand.exe -F:*” (Figure 3) .
Copy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.
Execute the JS file by calling Wscript.
Open the decoy document.
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and Control (C&C) configurations. Running each of them would show a different decoy document.
JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C server.
At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR and therefore completely stopped the attack.
The LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded compressed payload. Here is the list of commands that will be executed:
Copy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.
Copy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).
Look for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.
Decode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to “o423DFDS4.tmp”.
Decompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using “expand.exe -F:*” (Figure 3) .
Copy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.
Execute the JS file by calling Wscript.
Open the decoy document.
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and Control (C&C) configurations. Running each of them would show a different decoy document.
JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C server.
At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR and therefore completely stopped the attack.
This post was authored by Hossein Jazi and Jérôme Segura
On May 29th, we identified an attack that we believe is part of a new campaign from an Advanced Persistent Threat actor known as Higaisa. The Higaisa APT is believed to be tied to the Korean peninsula, and was first disclosed by Tencent Security Threat Intelligence Center in early 2019.
The group’s activities go back to at least 2016 and include the use of Trojans such as Gh0st and PlugX, as well as mobile malware. Its targets include government officials and human rights organizations, as well as other entities related to North Korea.
In this latest incident, Higaisa used a malicious shortcut file ultimately responsible for creating a multi-stage attack that consists of several malicious scripts, payloads and decoy PDF documents.
Distribution
The threat actors used a malicious LNK file bundled within an archive file which was most likely distributed via spear-phishing.
We were able to identify two variants of this campaign that possibly have been distributed between May 12th and 31st:
“CV_Colliers.rar”
“Project link and New copyright policy.rar”
Both RAR archives bundle two malicious LNK files. In the newer variant (CV_Colliers.rar), the LNK files are disguised as a Curriculum Vitae (CV) and International English Language Testing System (IELTS) exam results. The older one (Project link and New copyright policy.rar) seems to target product teams that are using zeplin.io.
The following shows the overall process flow when executing the malicious LNK file.
LNK file
The LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded compressed payload. Here is the list of commands that will be executed:
Copy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.
Copy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).
Look for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.
Decode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to “o423DFDS4.tmp”.
Decompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using “expand.exe -F:*” (Figure 3) .
Copy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.
Execute the JS file by calling Wscript.
Open the decoy document.
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and Control (C&C) configurations. Running each of them would show a different decoy document.
JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C server.
At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR and therefore completely stopped the attack.
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C server.
At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR and therefore completely stopped the attack.
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and Control (C&C) configurations. Running each of them would show a different decoy document.
JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C server.
At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR and therefore completely stopped the attack.
Copy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.
Copy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).
Look for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.
Decode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to “o423DFDS4.tmp”.
Decompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using “expand.exe -F:*” (Figure 3) .
Copy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.
Execute the JS file by calling Wscript.
Open the decoy document.
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and Control (C&C) configurations. Running each of them would show a different decoy document.
JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C server.
At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR and therefore completely stopped the attack.
The LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded compressed payload. Here is the list of commands that will be executed:
Copy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.
Copy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).
Look for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.
Decode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to “o423DFDS4.tmp”.
Decompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using “expand.exe -F:*” (Figure 3) .
Copy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.
Execute the JS file by calling Wscript.
Open the decoy document.
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and Control (C&C) configurations. Running each of them would show a different decoy document.
JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C server.
At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR and therefore completely stopped the attack.
This post was authored by Hossein Jazi and Jérôme Segura
On May 29th, we identified an attack that we believe is part of a new campaign from an Advanced Persistent Threat actor known as Higaisa. The Higaisa APT is believed to be tied to the Korean peninsula, and was first disclosed by Tencent Security Threat Intelligence Center in early 2019.
The group’s activities go back to at least 2016 and include the use of Trojans such as Gh0st and PlugX, as well as mobile malware. Its targets include government officials and human rights organizations, as well as other entities related to North Korea.
In this latest incident, Higaisa used a malicious shortcut file ultimately responsible for creating a multi-stage attack that consists of several malicious scripts, payloads and decoy PDF documents.
Distribution
The threat actors used a malicious LNK file bundled within an archive file which was most likely distributed via spear-phishing.
We were able to identify two variants of this campaign that possibly have been distributed between May 12th and 31st:
“CV_Colliers.rar”
“Project link and New copyright policy.rar”
Both RAR archives bundle two malicious LNK files. In the newer variant (CV_Colliers.rar), the LNK files are disguised as a Curriculum Vitae (CV) and International English Language Testing System (IELTS) exam results. The older one (Project link and New copyright policy.rar) seems to target product teams that are using zeplin.io.
The following shows the overall process flow when executing the malicious LNK file.
LNK file
The LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded compressed payload. Here is the list of commands that will be executed:
Copy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.
Copy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).
Look for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.
Decode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to “o423DFDS4.tmp”.
Decompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using “expand.exe -F:*” (Figure 3) .
Copy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.
Execute the JS file by calling Wscript.
Open the decoy document.
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and Control (C&C) configurations. Running each of them would show a different decoy document.
JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C server.
At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR and therefore completely stopped the attack.
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C server.
At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR and therefore completely stopped the attack.
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and Control (C&C) configurations. Running each of them would show a different decoy document.
JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C server.
At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR and therefore completely stopped the attack.
Copy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.
Copy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).
Look for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.
Decode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to “o423DFDS4.tmp”.
Decompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using “expand.exe -F:*” (Figure 3) .
Copy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.
Execute the JS file by calling Wscript.
Open the decoy document.
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and Control (C&C) configurations. Running each of them would show a different decoy document.
JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C server.
At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR and therefore completely stopped the attack.
The LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded compressed payload. Here is the list of commands that will be executed:
Copy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.
Copy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).
Look for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.
Decode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to “o423DFDS4.tmp”.
Decompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using “expand.exe -F:*” (Figure 3) .
Copy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.
Execute the JS file by calling Wscript.
Open the decoy document.
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and Control (C&C) configurations. Running each of them would show a different decoy document.
JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C server.
At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR and therefore completely stopped the attack.
This post was authored by Hossein Jazi and Jérôme Segura
On May 29th, we identified an attack that we believe is part of a new campaign from an Advanced Persistent Threat actor known as Higaisa. The Higaisa APT is believed to be tied to the Korean peninsula, and was first disclosed by Tencent Security Threat Intelligence Center in early 2019.
The group’s activities go back to at least 2016 and include the use of Trojans such as Gh0st and PlugX, as well as mobile malware. Its targets include government officials and human rights organizations, as well as other entities related to North Korea.
In this latest incident, Higaisa used a malicious shortcut file ultimately responsible for creating a multi-stage attack that consists of several malicious scripts, payloads and decoy PDF documents.
Distribution
The threat actors used a malicious LNK file bundled within an archive file which was most likely distributed via spear-phishing.
We were able to identify two variants of this campaign that possibly have been distributed between May 12th and 31st:
“CV_Colliers.rar”
“Project link and New copyright policy.rar”
Both RAR archives bundle two malicious LNK files. In the newer variant (CV_Colliers.rar), the LNK files are disguised as a Curriculum Vitae (CV) and International English Language Testing System (IELTS) exam results. The older one (Project link and New copyright policy.rar) seems to target product teams that are using zeplin.io.
The following shows the overall process flow when executing the malicious LNK file.
LNK file
The LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded compressed payload. Here is the list of commands that will be executed:
Copy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.
Copy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).
Look for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.
Decode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to “o423DFDS4.tmp”.
Decompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using “expand.exe -F:*” (Figure 3) .
Copy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.
Execute the JS file by calling Wscript.
Open the decoy document.
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and Control (C&C) configurations. Running each of them would show a different decoy document.
JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C server.
At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR and therefore completely stopped the attack.
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C server.
At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR and therefore completely stopped the attack.
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and Control (C&C) configurations. Running each of them would show a different decoy document.
JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C server.
At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR and therefore completely stopped the attack.
Copy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.
Copy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).
Look for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.
Decode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to “o423DFDS4.tmp”.
Decompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using “expand.exe -F:*” (Figure 3) .
Copy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.
Execute the JS file by calling Wscript.
Open the decoy document.
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and Control (C&C) configurations. Running each of them would show a different decoy document.
JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C server.
At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR and therefore completely stopped the attack.
The LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded compressed payload. Here is the list of commands that will be executed:
Copy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.
Copy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).
Look for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.
Decode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to “o423DFDS4.tmp”.
Decompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using “expand.exe -F:*” (Figure 3) .
Copy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.
Execute the JS file by calling Wscript.
Open the decoy document.
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and Control (C&C) configurations. Running each of them would show a different decoy document.
JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C server.
At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR and therefore completely stopped the attack.
This post was authored by Hossein Jazi and Jérôme Segura
On May 29th, we identified an attack that we believe is part of a new campaign from an Advanced Persistent Threat actor known as Higaisa. The Higaisa APT is believed to be tied to the Korean peninsula, and was first disclosed by Tencent Security Threat Intelligence Center in early 2019.
The group’s activities go back to at least 2016 and include the use of Trojans such as Gh0st and PlugX, as well as mobile malware. Its targets include government officials and human rights organizations, as well as other entities related to North Korea.
In this latest incident, Higaisa used a malicious shortcut file ultimately responsible for creating a multi-stage attack that consists of several malicious scripts, payloads and decoy PDF documents.
Distribution
The threat actors used a malicious LNK file bundled within an archive file which was most likely distributed via spear-phishing.
We were able to identify two variants of this campaign that possibly have been distributed between May 12th and 31st:
“CV_Colliers.rar”
“Project link and New copyright policy.rar”
Both RAR archives bundle two malicious LNK files. In the newer variant (CV_Colliers.rar), the LNK files are disguised as a Curriculum Vitae (CV) and International English Language Testing System (IELTS) exam results. The older one (Project link and New copyright policy.rar) seems to target product teams that are using zeplin.io.
The following shows the overall process flow when executing the malicious LNK file.
LNK file
The LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded compressed payload. Here is the list of commands that will be executed:
Copy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.
Copy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).
Look for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.
Decode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to “o423DFDS4.tmp”.
Decompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using “expand.exe -F:*” (Figure 3) .
Copy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.
Execute the JS file by calling Wscript.
Open the decoy document.
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and Control (C&C) configurations. Running each of them would show a different decoy document.
JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C server.
At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR and therefore completely stopped the attack.
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C server.
At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR and therefore completely stopped the attack.
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and Control (C&C) configurations. Running each of them would show a different decoy document.
JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C server.
At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR and therefore completely stopped the attack.
Copy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.
Copy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).
Look for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.
Decode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to “o423DFDS4.tmp”.
Decompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using “expand.exe -F:*” (Figure 3) .
Copy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.
Execute the JS file by calling Wscript.
Open the decoy document.
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and Control (C&C) configurations. Running each of them would show a different decoy document.
JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C server.
At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR and therefore completely stopped the attack.
The LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded compressed payload. Here is the list of commands that will be executed:
Copy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.
Copy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).
Look for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.
Decode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to “o423DFDS4.tmp”.
Decompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using “expand.exe -F:*” (Figure 3) .
Copy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.
Execute the JS file by calling Wscript.
Open the decoy document.
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and Control (C&C) configurations. Running each of them would show a different decoy document.
JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C server.
At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR and therefore completely stopped the attack.
This post was authored by Hossein Jazi and Jérôme Segura
On May 29th, we identified an attack that we believe is part of a new campaign from an Advanced Persistent Threat actor known as Higaisa. The Higaisa APT is believed to be tied to the Korean peninsula, and was first disclosed by Tencent Security Threat Intelligence Center in early 2019.
The group’s activities go back to at least 2016 and include the use of Trojans such as Gh0st and PlugX, as well as mobile malware. Its targets include government officials and human rights organizations, as well as other entities related to North Korea.
In this latest incident, Higaisa used a malicious shortcut file ultimately responsible for creating a multi-stage attack that consists of several malicious scripts, payloads and decoy PDF documents.
Distribution
The threat actors used a malicious LNK file bundled within an archive file which was most likely distributed via spear-phishing.
We were able to identify two variants of this campaign that possibly have been distributed between May 12th and 31st:
“CV_Colliers.rar”
“Project link and New copyright policy.rar”
Both RAR archives bundle two malicious LNK files. In the newer variant (CV_Colliers.rar), the LNK files are disguised as a Curriculum Vitae (CV) and International English Language Testing System (IELTS) exam results. The older one (Project link and New copyright policy.rar) seems to target product teams that are using zeplin.io.
The following shows the overall process flow when executing the malicious LNK file.
LNK file
The LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded compressed payload. Here is the list of commands that will be executed:
Copy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.
Copy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).
Look for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.
Decode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to “o423DFDS4.tmp”.
Decompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using “expand.exe -F:*” (Figure 3) .
Copy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.
Execute the JS file by calling Wscript.
Open the decoy document.
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and Control (C&C) configurations. Running each of them would show a different decoy document.
JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C server.
At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR and therefore completely stopped the attack.
Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C server.
At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR and therefore completely stopped the attack.
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C server.
At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR and therefore completely stopped the attack.
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and Control (C&C) configurations. Running each of them would show a different decoy document.
JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C server.
At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR and therefore completely stopped the attack.
Copy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.
Copy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).
Look for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.
Decode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to “o423DFDS4.tmp”.
Decompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using “expand.exe -F:*” (Figure 3) .
Copy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.
Execute the JS file by calling Wscript.
Open the decoy document.
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and Control (C&C) configurations. Running each of them would show a different decoy document.
JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C server.
At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR and therefore completely stopped the attack.
The LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded compressed payload. Here is the list of commands that will be executed:
Copy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.
Copy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).
Look for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.
Decode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to “o423DFDS4.tmp”.
Decompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using “expand.exe -F:*” (Figure 3) .
Copy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.
Execute the JS file by calling Wscript.
Open the decoy document.
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and Control (C&C) configurations. Running each of them would show a different decoy document.
JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C server.
At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR and therefore completely stopped the attack.
This post was authored by Hossein Jazi and Jérôme Segura
On May 29th, we identified an attack that we believe is part of a new campaign from an Advanced Persistent Threat actor known as Higaisa. The Higaisa APT is believed to be tied to the Korean peninsula, and was first disclosed by Tencent Security Threat Intelligence Center in early 2019.
The group’s activities go back to at least 2016 and include the use of Trojans such as Gh0st and PlugX, as well as mobile malware. Its targets include government officials and human rights organizations, as well as other entities related to North Korea.
In this latest incident, Higaisa used a malicious shortcut file ultimately responsible for creating a multi-stage attack that consists of several malicious scripts, payloads and decoy PDF documents.
Distribution
The threat actors used a malicious LNK file bundled within an archive file which was most likely distributed via spear-phishing.
We were able to identify two variants of this campaign that possibly have been distributed between May 12th and 31st:
“CV_Colliers.rar”
“Project link and New copyright policy.rar”
Both RAR archives bundle two malicious LNK files. In the newer variant (CV_Colliers.rar), the LNK files are disguised as a Curriculum Vitae (CV) and International English Language Testing System (IELTS) exam results. The older one (Project link and New copyright policy.rar) seems to target product teams that are using zeplin.io.
The following shows the overall process flow when executing the malicious LNK file.
LNK file
The LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded compressed payload. Here is the list of commands that will be executed:
Copy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.
Copy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).
Look for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.
Decode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to “o423DFDS4.tmp”.
Decompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using “expand.exe -F:*” (Figure 3) .
Copy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.
Execute the JS file by calling Wscript.
Open the decoy document.
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and Control (C&C) configurations. Running each of them would show a different decoy document.
JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C server.
At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR and therefore completely stopped the attack.
Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C server.
At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR and therefore completely stopped the attack.
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C server.
At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR and therefore completely stopped the attack.
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and Control (C&C) configurations. Running each of them would show a different decoy document.
JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C server.
At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR and therefore completely stopped the attack.
Copy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.
Copy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).
Look for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.
Decode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to “o423DFDS4.tmp”.
Decompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using “expand.exe -F:*” (Figure 3) .
Copy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.
Execute the JS file by calling Wscript.
Open the decoy document.
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and Control (C&C) configurations. Running each of them would show a different decoy document.
JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C server.
At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR and therefore completely stopped the attack.
The LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded compressed payload. Here is the list of commands that will be executed:
Copy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.
Copy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).
Look for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.
Decode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to “o423DFDS4.tmp”.
Decompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using “expand.exe -F:*” (Figure 3) .
Copy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.
Execute the JS file by calling Wscript.
Open the decoy document.
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and Control (C&C) configurations. Running each of them would show a different decoy document.
JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C server.
At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR and therefore completely stopped the attack.
This post was authored by Hossein Jazi and Jérôme Segura
On May 29th, we identified an attack that we believe is part of a new campaign from an Advanced Persistent Threat actor known as Higaisa. The Higaisa APT is believed to be tied to the Korean peninsula, and was first disclosed by Tencent Security Threat Intelligence Center in early 2019.
The group’s activities go back to at least 2016 and include the use of Trojans such as Gh0st and PlugX, as well as mobile malware. Its targets include government officials and human rights organizations, as well as other entities related to North Korea.
In this latest incident, Higaisa used a malicious shortcut file ultimately responsible for creating a multi-stage attack that consists of several malicious scripts, payloads and decoy PDF documents.
Distribution
The threat actors used a malicious LNK file bundled within an archive file which was most likely distributed via spear-phishing.
We were able to identify two variants of this campaign that possibly have been distributed between May 12th and 31st:
“CV_Colliers.rar”
“Project link and New copyright policy.rar”
Both RAR archives bundle two malicious LNK files. In the newer variant (CV_Colliers.rar), the LNK files are disguised as a Curriculum Vitae (CV) and International English Language Testing System (IELTS) exam results. The older one (Project link and New copyright policy.rar) seems to target product teams that are using zeplin.io.
The following shows the overall process flow when executing the malicious LNK file.
LNK file
The LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded compressed payload. Here is the list of commands that will be executed:
Copy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.
Copy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).
Look for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.
Decode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to “o423DFDS4.tmp”.
Decompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using “expand.exe -F:*” (Figure 3) .
Copy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.
Execute the JS file by calling Wscript.
Open the decoy document.
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and Control (C&C) configurations. Running each of them would show a different decoy document.
JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C server.
At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR and therefore completely stopped the attack.
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C server.
At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR and therefore completely stopped the attack.
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C server.
At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR and therefore completely stopped the attack.
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and Control (C&C) configurations. Running each of them would show a different decoy document.
JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C server.
At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR and therefore completely stopped the attack.
Copy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.
Copy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).
Look for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.
Decode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to “o423DFDS4.tmp”.
Decompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using “expand.exe -F:*” (Figure 3) .
Copy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.
Execute the JS file by calling Wscript.
Open the decoy document.
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and Control (C&C) configurations. Running each of them would show a different decoy document.
JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C server.
At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR and therefore completely stopped the attack.
The LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded compressed payload. Here is the list of commands that will be executed:
Copy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.
Copy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).
Look for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.
Decode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to “o423DFDS4.tmp”.
Decompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using “expand.exe -F:*” (Figure 3) .
Copy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.
Execute the JS file by calling Wscript.
Open the decoy document.
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and Control (C&C) configurations. Running each of them would show a different decoy document.
JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C server.
At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR and therefore completely stopped the attack.
This post was authored by Hossein Jazi and Jérôme Segura
On May 29th, we identified an attack that we believe is part of a new campaign from an Advanced Persistent Threat actor known as Higaisa. The Higaisa APT is believed to be tied to the Korean peninsula, and was first disclosed by Tencent Security Threat Intelligence Center in early 2019.
The group’s activities go back to at least 2016 and include the use of Trojans such as Gh0st and PlugX, as well as mobile malware. Its targets include government officials and human rights organizations, as well as other entities related to North Korea.
In this latest incident, Higaisa used a malicious shortcut file ultimately responsible for creating a multi-stage attack that consists of several malicious scripts, payloads and decoy PDF documents.
Distribution
The threat actors used a malicious LNK file bundled within an archive file which was most likely distributed via spear-phishing.
We were able to identify two variants of this campaign that possibly have been distributed between May 12th and 31st:
“CV_Colliers.rar”
“Project link and New copyright policy.rar”
Both RAR archives bundle two malicious LNK files. In the newer variant (CV_Colliers.rar), the LNK files are disguised as a Curriculum Vitae (CV) and International English Language Testing System (IELTS) exam results. The older one (Project link and New copyright policy.rar) seems to target product teams that are using zeplin.io.
The following shows the overall process flow when executing the malicious LNK file.
LNK file
The LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded compressed payload. Here is the list of commands that will be executed:
Copy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.
Copy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).
Look for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.
Decode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to “o423DFDS4.tmp”.
Decompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using “expand.exe -F:*” (Figure 3) .
Copy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.
Execute the JS file by calling Wscript.
Open the decoy document.
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and Control (C&C) configurations. Running each of them would show a different decoy document.
JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C server.
At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR and therefore completely stopped the attack.
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C server.
At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR and therefore completely stopped the attack.
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C server.
At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR and therefore completely stopped the attack.
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and Control (C&C) configurations. Running each of them would show a different decoy document.
JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C server.
At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR and therefore completely stopped the attack.
Copy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.
Copy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).
Look for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.
Decode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to “o423DFDS4.tmp”.
Decompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using “expand.exe -F:*” (Figure 3) .
Copy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.
Execute the JS file by calling Wscript.
Open the decoy document.
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and Control (C&C) configurations. Running each of them would show a different decoy document.
JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C server.
At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR and therefore completely stopped the attack.
The LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded compressed payload. Here is the list of commands that will be executed:
Copy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.
Copy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).
Look for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.
Decode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to “o423DFDS4.tmp”.
Decompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using “expand.exe -F:*” (Figure 3) .
Copy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.
Execute the JS file by calling Wscript.
Open the decoy document.
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and Control (C&C) configurations. Running each of them would show a different decoy document.
JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C server.
At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR and therefore completely stopped the attack.
This post was authored by Hossein Jazi and Jérôme Segura
On May 29th, we identified an attack that we believe is part of a new campaign from an Advanced Persistent Threat actor known as Higaisa. The Higaisa APT is believed to be tied to the Korean peninsula, and was first disclosed by Tencent Security Threat Intelligence Center in early 2019.
The group’s activities go back to at least 2016 and include the use of Trojans such as Gh0st and PlugX, as well as mobile malware. Its targets include government officials and human rights organizations, as well as other entities related to North Korea.
In this latest incident, Higaisa used a malicious shortcut file ultimately responsible for creating a multi-stage attack that consists of several malicious scripts, payloads and decoy PDF documents.
Distribution
The threat actors used a malicious LNK file bundled within an archive file which was most likely distributed via spear-phishing.
We were able to identify two variants of this campaign that possibly have been distributed between May 12th and 31st:
“CV_Colliers.rar”
“Project link and New copyright policy.rar”
Both RAR archives bundle two malicious LNK files. In the newer variant (CV_Colliers.rar), the LNK files are disguised as a Curriculum Vitae (CV) and International English Language Testing System (IELTS) exam results. The older one (Project link and New copyright policy.rar) seems to target product teams that are using zeplin.io.
The following shows the overall process flow when executing the malicious LNK file.
LNK file
The LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded compressed payload. Here is the list of commands that will be executed:
Copy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.
Copy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).
Look for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.
Decode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to “o423DFDS4.tmp”.
Decompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using “expand.exe -F:*” (Figure 3) .
Copy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.
Execute the JS file by calling Wscript.
Open the decoy document.
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and Control (C&C) configurations. Running each of them would show a different decoy document.
JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C server.
At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR and therefore completely stopped the attack.
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C server.
At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR and therefore completely stopped the attack.
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C server.
At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR and therefore completely stopped the attack.
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and Control (C&C) configurations. Running each of them would show a different decoy document.
JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C server.
At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR and therefore completely stopped the attack.
Copy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.
Copy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).
Look for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.
Decode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to “o423DFDS4.tmp”.
Decompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using “expand.exe -F:*” (Figure 3) .
Copy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.
Execute the JS file by calling Wscript.
Open the decoy document.
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and Control (C&C) configurations. Running each of them would show a different decoy document.
JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C server.
At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR and therefore completely stopped the attack.
The LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded compressed payload. Here is the list of commands that will be executed:
Copy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.
Copy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).
Look for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.
Decode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to “o423DFDS4.tmp”.
Decompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using “expand.exe -F:*” (Figure 3) .
Copy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.
Execute the JS file by calling Wscript.
Open the decoy document.
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and Control (C&C) configurations. Running each of them would show a different decoy document.
JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C server.
At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR and therefore completely stopped the attack.
This post was authored by Hossein Jazi and Jérôme Segura
On May 29th, we identified an attack that we believe is part of a new campaign from an Advanced Persistent Threat actor known as Higaisa. The Higaisa APT is believed to be tied to the Korean peninsula, and was first disclosed by Tencent Security Threat Intelligence Center in early 2019.
The group’s activities go back to at least 2016 and include the use of Trojans such as Gh0st and PlugX, as well as mobile malware. Its targets include government officials and human rights organizations, as well as other entities related to North Korea.
In this latest incident, Higaisa used a malicious shortcut file ultimately responsible for creating a multi-stage attack that consists of several malicious scripts, payloads and decoy PDF documents.
Distribution
The threat actors used a malicious LNK file bundled within an archive file which was most likely distributed via spear-phishing.
We were able to identify two variants of this campaign that possibly have been distributed between May 12th and 31st:
“CV_Colliers.rar”
“Project link and New copyright policy.rar”
Both RAR archives bundle two malicious LNK files. In the newer variant (CV_Colliers.rar), the LNK files are disguised as a Curriculum Vitae (CV) and International English Language Testing System (IELTS) exam results. The older one (Project link and New copyright policy.rar) seems to target product teams that are using zeplin.io.
The following shows the overall process flow when executing the malicious LNK file.
LNK file
The LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded compressed payload. Here is the list of commands that will be executed:
Copy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.
Copy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).
Look for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.
Decode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to “o423DFDS4.tmp”.
Decompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using “expand.exe -F:*” (Figure 3) .
Copy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.
Execute the JS file by calling Wscript.
Open the decoy document.
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and Control (C&C) configurations. Running each of them would show a different decoy document.
JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C server.
At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR and therefore completely stopped the attack.
Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C server.
At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR and therefore completely stopped the attack.
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C server.
At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR and therefore completely stopped the attack.
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C server.
At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR and therefore completely stopped the attack.
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and Control (C&C) configurations. Running each of them would show a different decoy document.
JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C server.
At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR and therefore completely stopped the attack.
Copy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.
Copy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).
Look for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.
Decode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to “o423DFDS4.tmp”.
Decompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using “expand.exe -F:*” (Figure 3) .
Copy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.
Execute the JS file by calling Wscript.
Open the decoy document.
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and Control (C&C) configurations. Running each of them would show a different decoy document.
JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C server.
At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR and therefore completely stopped the attack.
The LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded compressed payload. Here is the list of commands that will be executed:
Copy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.
Copy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).
Look for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.
Decode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to “o423DFDS4.tmp”.
Decompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using “expand.exe -F:*” (Figure 3) .
Copy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.
Execute the JS file by calling Wscript.
Open the decoy document.
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and Control (C&C) configurations. Running each of them would show a different decoy document.
JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C server.
At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR and therefore completely stopped the attack.
This post was authored by Hossein Jazi and Jérôme Segura
On May 29th, we identified an attack that we believe is part of a new campaign from an Advanced Persistent Threat actor known as Higaisa. The Higaisa APT is believed to be tied to the Korean peninsula, and was first disclosed by Tencent Security Threat Intelligence Center in early 2019.
The group’s activities go back to at least 2016 and include the use of Trojans such as Gh0st and PlugX, as well as mobile malware. Its targets include government officials and human rights organizations, as well as other entities related to North Korea.
In this latest incident, Higaisa used a malicious shortcut file ultimately responsible for creating a multi-stage attack that consists of several malicious scripts, payloads and decoy PDF documents.
Distribution
The threat actors used a malicious LNK file bundled within an archive file which was most likely distributed via spear-phishing.
We were able to identify two variants of this campaign that possibly have been distributed between May 12th and 31st:
“CV_Colliers.rar”
“Project link and New copyright policy.rar”
Both RAR archives bundle two malicious LNK files. In the newer variant (CV_Colliers.rar), the LNK files are disguised as a Curriculum Vitae (CV) and International English Language Testing System (IELTS) exam results. The older one (Project link and New copyright policy.rar) seems to target product teams that are using zeplin.io.
The following shows the overall process flow when executing the malicious LNK file.
LNK file
The LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded compressed payload. Here is the list of commands that will be executed:
Copy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.
Copy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).
Look for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.
Decode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to “o423DFDS4.tmp”.
Decompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using “expand.exe -F:*” (Figure 3) .
Copy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.
Execute the JS file by calling Wscript.
Open the decoy document.
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and Control (C&C) configurations. Running each of them would show a different decoy document.
JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C server.
At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR and therefore completely stopped the attack.
Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C server.
At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR and therefore completely stopped the attack.
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C server.
At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR and therefore completely stopped the attack.
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C server.
At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR and therefore completely stopped the attack.
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and Control (C&C) configurations. Running each of them would show a different decoy document.
JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C server.
At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR and therefore completely stopped the attack.
Copy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.
Copy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).
Look for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.
Decode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to “o423DFDS4.tmp”.
Decompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using “expand.exe -F:*” (Figure 3) .
Copy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.
Execute the JS file by calling Wscript.
Open the decoy document.
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and Control (C&C) configurations. Running each of them would show a different decoy document.
JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C server.
At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR and therefore completely stopped the attack.
The LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded compressed payload. Here is the list of commands that will be executed:
Copy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.
Copy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).
Look for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.
Decode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to “o423DFDS4.tmp”.
Decompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using “expand.exe -F:*” (Figure 3) .
Copy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.
Execute the JS file by calling Wscript.
Open the decoy document.
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and Control (C&C) configurations. Running each of them would show a different decoy document.
JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C server.
At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR and therefore completely stopped the attack.
This post was authored by Hossein Jazi and Jérôme Segura
On May 29th, we identified an attack that we believe is part of a new campaign from an Advanced Persistent Threat actor known as Higaisa. The Higaisa APT is believed to be tied to the Korean peninsula, and was first disclosed by Tencent Security Threat Intelligence Center in early 2019.
The group’s activities go back to at least 2016 and include the use of Trojans such as Gh0st and PlugX, as well as mobile malware. Its targets include government officials and human rights organizations, as well as other entities related to North Korea.
In this latest incident, Higaisa used a malicious shortcut file ultimately responsible for creating a multi-stage attack that consists of several malicious scripts, payloads and decoy PDF documents.
Distribution
The threat actors used a malicious LNK file bundled within an archive file which was most likely distributed via spear-phishing.
We were able to identify two variants of this campaign that possibly have been distributed between May 12th and 31st:
“CV_Colliers.rar”
“Project link and New copyright policy.rar”
Both RAR archives bundle two malicious LNK files. In the newer variant (CV_Colliers.rar), the LNK files are disguised as a Curriculum Vitae (CV) and International English Language Testing System (IELTS) exam results. The older one (Project link and New copyright policy.rar) seems to target product teams that are using zeplin.io.
The following shows the overall process flow when executing the malicious LNK file.
LNK file
The LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded compressed payload. Here is the list of commands that will be executed:
Copy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.
Copy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).
Look for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.
Decode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to “o423DFDS4.tmp”.
Decompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using “expand.exe -F:*” (Figure 3) .
Copy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.
Execute the JS file by calling Wscript.
Open the decoy document.
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and Control (C&C) configurations. Running each of them would show a different decoy document.
JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C server.
At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR and therefore completely stopped the attack.
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C server.
At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR and therefore completely stopped the attack.
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C server.
At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR and therefore completely stopped the attack.
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C server.
At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR and therefore completely stopped the attack.
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and Control (C&C) configurations. Running each of them would show a different decoy document.
JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C server.
At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR and therefore completely stopped the attack.
Copy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.
Copy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).
Look for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.
Decode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to “o423DFDS4.tmp”.
Decompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using “expand.exe -F:*” (Figure 3) .
Copy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.
Execute the JS file by calling Wscript.
Open the decoy document.
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and Control (C&C) configurations. Running each of them would show a different decoy document.
JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C server.
At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR and therefore completely stopped the attack.
The LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded compressed payload. Here is the list of commands that will be executed:
Copy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.
Copy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).
Look for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.
Decode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to “o423DFDS4.tmp”.
Decompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using “expand.exe -F:*” (Figure 3) .
Copy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.
Execute the JS file by calling Wscript.
Open the decoy document.
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and Control (C&C) configurations. Running each of them would show a different decoy document.
JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C server.
At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR and therefore completely stopped the attack.
This post was authored by Hossein Jazi and Jérôme Segura
On May 29th, we identified an attack that we believe is part of a new campaign from an Advanced Persistent Threat actor known as Higaisa. The Higaisa APT is believed to be tied to the Korean peninsula, and was first disclosed by Tencent Security Threat Intelligence Center in early 2019.
The group’s activities go back to at least 2016 and include the use of Trojans such as Gh0st and PlugX, as well as mobile malware. Its targets include government officials and human rights organizations, as well as other entities related to North Korea.
In this latest incident, Higaisa used a malicious shortcut file ultimately responsible for creating a multi-stage attack that consists of several malicious scripts, payloads and decoy PDF documents.
Distribution
The threat actors used a malicious LNK file bundled within an archive file which was most likely distributed via spear-phishing.
We were able to identify two variants of this campaign that possibly have been distributed between May 12th and 31st:
“CV_Colliers.rar”
“Project link and New copyright policy.rar”
Both RAR archives bundle two malicious LNK files. In the newer variant (CV_Colliers.rar), the LNK files are disguised as a Curriculum Vitae (CV) and International English Language Testing System (IELTS) exam results. The older one (Project link and New copyright policy.rar) seems to target product teams that are using zeplin.io.
The following shows the overall process flow when executing the malicious LNK file.
LNK file
The LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded compressed payload. Here is the list of commands that will be executed:
Copy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.
Copy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).
Look for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.
Decode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to “o423DFDS4.tmp”.
Decompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using “expand.exe -F:*” (Figure 3) .
Copy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.
Execute the JS file by calling Wscript.
Open the decoy document.
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and Control (C&C) configurations. Running each of them would show a different decoy document.
JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C server.
At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR and therefore completely stopped the attack.
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C server.
At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR and therefore completely stopped the attack.
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C server.
At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR and therefore completely stopped the attack.
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C server.
At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR and therefore completely stopped the attack.
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and Control (C&C) configurations. Running each of them would show a different decoy document.
JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C server.
At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR and therefore completely stopped the attack.
Copy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.
Copy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).
Look for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.
Decode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to “o423DFDS4.tmp”.
Decompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using “expand.exe -F:*” (Figure 3) .
Copy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.
Execute the JS file by calling Wscript.
Open the decoy document.
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and Control (C&C) configurations. Running each of them would show a different decoy document.
JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C server.
At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR and therefore completely stopped the attack.
The LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded compressed payload. Here is the list of commands that will be executed:
Copy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.
Copy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).
Look for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.
Decode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to “o423DFDS4.tmp”.
Decompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using “expand.exe -F:*” (Figure 3) .
Copy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.
Execute the JS file by calling Wscript.
Open the decoy document.
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and Control (C&C) configurations. Running each of them would show a different decoy document.
JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C server.
At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR and therefore completely stopped the attack.
This post was authored by Hossein Jazi and Jérôme Segura
On May 29th, we identified an attack that we believe is part of a new campaign from an Advanced Persistent Threat actor known as Higaisa. The Higaisa APT is believed to be tied to the Korean peninsula, and was first disclosed by Tencent Security Threat Intelligence Center in early 2019.
The group’s activities go back to at least 2016 and include the use of Trojans such as Gh0st and PlugX, as well as mobile malware. Its targets include government officials and human rights organizations, as well as other entities related to North Korea.
In this latest incident, Higaisa used a malicious shortcut file ultimately responsible for creating a multi-stage attack that consists of several malicious scripts, payloads and decoy PDF documents.
Distribution
The threat actors used a malicious LNK file bundled within an archive file which was most likely distributed via spear-phishing.
We were able to identify two variants of this campaign that possibly have been distributed between May 12th and 31st:
“CV_Colliers.rar”
“Project link and New copyright policy.rar”
Both RAR archives bundle two malicious LNK files. In the newer variant (CV_Colliers.rar), the LNK files are disguised as a Curriculum Vitae (CV) and International English Language Testing System (IELTS) exam results. The older one (Project link and New copyright policy.rar) seems to target product teams that are using zeplin.io.
The following shows the overall process flow when executing the malicious LNK file.
LNK file
The LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded compressed payload. Here is the list of commands that will be executed:
Copy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.
Copy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).
Look for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.
Decode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to “o423DFDS4.tmp”.
Decompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using “expand.exe -F:*” (Figure 3) .
Copy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.
Execute the JS file by calling Wscript.
Open the decoy document.
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and Control (C&C) configurations. Running each of them would show a different decoy document.
JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C server.
At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR and therefore completely stopped the attack.
Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C server.
At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR and therefore completely stopped the attack.
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C server.
At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR and therefore completely stopped the attack.
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C server.
At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR and therefore completely stopped the attack.
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C server.
At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR and therefore completely stopped the attack.
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and Control (C&C) configurations. Running each of them would show a different decoy document.
JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C server.
At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR and therefore completely stopped the attack.
Copy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.
Copy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).
Look for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.
Decode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to “o423DFDS4.tmp”.
Decompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using “expand.exe -F:*” (Figure 3) .
Copy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.
Execute the JS file by calling Wscript.
Open the decoy document.
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and Control (C&C) configurations. Running each of them would show a different decoy document.
JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C server.
At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR and therefore completely stopped the attack.
The LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded compressed payload. Here is the list of commands that will be executed:
Copy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.
Copy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).
Look for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.
Decode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to “o423DFDS4.tmp”.
Decompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using “expand.exe -F:*” (Figure 3) .
Copy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.
Execute the JS file by calling Wscript.
Open the decoy document.
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and Control (C&C) configurations. Running each of them would show a different decoy document.
JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C server.
At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR and therefore completely stopped the attack.
This post was authored by Hossein Jazi and Jérôme Segura
On May 29th, we identified an attack that we believe is part of a new campaign from an Advanced Persistent Threat actor known as Higaisa. The Higaisa APT is believed to be tied to the Korean peninsula, and was first disclosed by Tencent Security Threat Intelligence Center in early 2019.
The group’s activities go back to at least 2016 and include the use of Trojans such as Gh0st and PlugX, as well as mobile malware. Its targets include government officials and human rights organizations, as well as other entities related to North Korea.
In this latest incident, Higaisa used a malicious shortcut file ultimately responsible for creating a multi-stage attack that consists of several malicious scripts, payloads and decoy PDF documents.
Distribution
The threat actors used a malicious LNK file bundled within an archive file which was most likely distributed via spear-phishing.
We were able to identify two variants of this campaign that possibly have been distributed between May 12th and 31st:
“CV_Colliers.rar”
“Project link and New copyright policy.rar”
Both RAR archives bundle two malicious LNK files. In the newer variant (CV_Colliers.rar), the LNK files are disguised as a Curriculum Vitae (CV) and International English Language Testing System (IELTS) exam results. The older one (Project link and New copyright policy.rar) seems to target product teams that are using zeplin.io.
The following shows the overall process flow when executing the malicious LNK file.
LNK file
The LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded compressed payload. Here is the list of commands that will be executed:
Copy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.
Copy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).
Look for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.
Decode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to “o423DFDS4.tmp”.
Decompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using “expand.exe -F:*” (Figure 3) .
Copy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.
Execute the JS file by calling Wscript.
Open the decoy document.
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and Control (C&C) configurations. Running each of them would show a different decoy document.
JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C server.
At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR and therefore completely stopped the attack.
Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C server.
At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR and therefore completely stopped the attack.
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C server.
At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR and therefore completely stopped the attack.
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C server.
At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR and therefore completely stopped the attack.
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C server.
At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR and therefore completely stopped the attack.
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and Control (C&C) configurations. Running each of them would show a different decoy document.
JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C server.
At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR and therefore completely stopped the attack.
Copy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.
Copy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).
Look for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.
Decode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to “o423DFDS4.tmp”.
Decompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using “expand.exe -F:*” (Figure 3) .
Copy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.
Execute the JS file by calling Wscript.
Open the decoy document.
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and Control (C&C) configurations. Running each of them would show a different decoy document.
JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C server.
At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR and therefore completely stopped the attack.
The LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded compressed payload. Here is the list of commands that will be executed:
Copy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.
Copy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).
Look for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.
Decode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to “o423DFDS4.tmp”.
Decompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using “expand.exe -F:*” (Figure 3) .
Copy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.
Execute the JS file by calling Wscript.
Open the decoy document.
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and Control (C&C) configurations. Running each of them would show a different decoy document.
JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C server.
At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR and therefore completely stopped the attack.
This post was authored by Hossein Jazi and Jérôme Segura
On May 29th, we identified an attack that we believe is part of a new campaign from an Advanced Persistent Threat actor known as Higaisa. The Higaisa APT is believed to be tied to the Korean peninsula, and was first disclosed by Tencent Security Threat Intelligence Center in early 2019.
The group’s activities go back to at least 2016 and include the use of Trojans such as Gh0st and PlugX, as well as mobile malware. Its targets include government officials and human rights organizations, as well as other entities related to North Korea.
In this latest incident, Higaisa used a malicious shortcut file ultimately responsible for creating a multi-stage attack that consists of several malicious scripts, payloads and decoy PDF documents.
Distribution
The threat actors used a malicious LNK file bundled within an archive file which was most likely distributed via spear-phishing.
We were able to identify two variants of this campaign that possibly have been distributed between May 12th and 31st:
“CV_Colliers.rar”
“Project link and New copyright policy.rar”
Both RAR archives bundle two malicious LNK files. In the newer variant (CV_Colliers.rar), the LNK files are disguised as a Curriculum Vitae (CV) and International English Language Testing System (IELTS) exam results. The older one (Project link and New copyright policy.rar) seems to target product teams that are using zeplin.io.
The following shows the overall process flow when executing the malicious LNK file.
LNK file
The LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded compressed payload. Here is the list of commands that will be executed:
Copy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.
Copy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).
Look for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.
Decode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to “o423DFDS4.tmp”.
Decompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using “expand.exe -F:*” (Figure 3) .
Copy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.
Execute the JS file by calling Wscript.
Open the decoy document.
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and Control (C&C) configurations. Running each of them would show a different decoy document.
JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C server.
At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR and therefore completely stopped the attack.
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C server.
At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR and therefore completely stopped the attack.
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C server.
At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR and therefore completely stopped the attack.
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C server.
At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR and therefore completely stopped the attack.
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C server.
At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR and therefore completely stopped the attack.
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and Control (C&C) configurations. Running each of them would show a different decoy document.
JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C server.
At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR and therefore completely stopped the attack.
Copy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.
Copy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).
Look for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.
Decode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to “o423DFDS4.tmp”.
Decompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using “expand.exe -F:*” (Figure 3) .
Copy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.
Execute the JS file by calling Wscript.
Open the decoy document.
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and Control (C&C) configurations. Running each of them would show a different decoy document.
JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C server.
At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR and therefore completely stopped the attack.
The LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded compressed payload. Here is the list of commands that will be executed:
Copy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.
Copy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).
Look for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.
Decode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to “o423DFDS4.tmp”.
Decompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using “expand.exe -F:*” (Figure 3) .
Copy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.
Execute the JS file by calling Wscript.
Open the decoy document.
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and Control (C&C) configurations. Running each of them would show a different decoy document.
JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C server.
At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR and therefore completely stopped the attack.
This post was authored by Hossein Jazi and Jérôme Segura
On May 29th, we identified an attack that we believe is part of a new campaign from an Advanced Persistent Threat actor known as Higaisa. The Higaisa APT is believed to be tied to the Korean peninsula, and was first disclosed by Tencent Security Threat Intelligence Center in early 2019.
The group’s activities go back to at least 2016 and include the use of Trojans such as Gh0st and PlugX, as well as mobile malware. Its targets include government officials and human rights organizations, as well as other entities related to North Korea.
In this latest incident, Higaisa used a malicious shortcut file ultimately responsible for creating a multi-stage attack that consists of several malicious scripts, payloads and decoy PDF documents.
Distribution
The threat actors used a malicious LNK file bundled within an archive file which was most likely distributed via spear-phishing.
We were able to identify two variants of this campaign that possibly have been distributed between May 12th and 31st:
“CV_Colliers.rar”
“Project link and New copyright policy.rar”
Both RAR archives bundle two malicious LNK files. In the newer variant (CV_Colliers.rar), the LNK files are disguised as a Curriculum Vitae (CV) and International English Language Testing System (IELTS) exam results. The older one (Project link and New copyright policy.rar) seems to target product teams that are using zeplin.io.
The following shows the overall process flow when executing the malicious LNK file.
LNK file
The LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded compressed payload. Here is the list of commands that will be executed:
Copy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.
Copy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).
Look for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.
Decode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to “o423DFDS4.tmp”.
Decompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using “expand.exe -F:*” (Figure 3) .
Copy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.
Execute the JS file by calling Wscript.
Open the decoy document.
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and Control (C&C) configurations. Running each of them would show a different decoy document.
JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C server.
At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR and therefore completely stopped the attack.
Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C server.
At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR and therefore completely stopped the attack.
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C server.
At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR and therefore completely stopped the attack.
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C server.
At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR and therefore completely stopped the attack.
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C server.
At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR and therefore completely stopped the attack.
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C server.
At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR and therefore completely stopped the attack.
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and Control (C&C) configurations. Running each of them would show a different decoy document.
JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C server.
At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR and therefore completely stopped the attack.
Copy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.
Copy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).
Look for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.
Decode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to “o423DFDS4.tmp”.
Decompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using “expand.exe -F:*” (Figure 3) .
Copy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.
Execute the JS file by calling Wscript.
Open the decoy document.
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and Control (C&C) configurations. Running each of them would show a different decoy document.
JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C server.
At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR and therefore completely stopped the attack.
The LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded compressed payload. Here is the list of commands that will be executed:
Copy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.
Copy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).
Look for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.
Decode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to “o423DFDS4.tmp”.
Decompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using “expand.exe -F:*” (Figure 3) .
Copy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.
Execute the JS file by calling Wscript.
Open the decoy document.
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and Control (C&C) configurations. Running each of them would show a different decoy document.
JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C server.
At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR and therefore completely stopped the attack.
This post was authored by Hossein Jazi and Jérôme Segura
On May 29th, we identified an attack that we believe is part of a new campaign from an Advanced Persistent Threat actor known as Higaisa. The Higaisa APT is believed to be tied to the Korean peninsula, and was first disclosed by Tencent Security Threat Intelligence Center in early 2019.
The group’s activities go back to at least 2016 and include the use of Trojans such as Gh0st and PlugX, as well as mobile malware. Its targets include government officials and human rights organizations, as well as other entities related to North Korea.
In this latest incident, Higaisa used a malicious shortcut file ultimately responsible for creating a multi-stage attack that consists of several malicious scripts, payloads and decoy PDF documents.
Distribution
The threat actors used a malicious LNK file bundled within an archive file which was most likely distributed via spear-phishing.
We were able to identify two variants of this campaign that possibly have been distributed between May 12th and 31st:
“CV_Colliers.rar”
“Project link and New copyright policy.rar”
Both RAR archives bundle two malicious LNK files. In the newer variant (CV_Colliers.rar), the LNK files are disguised as a Curriculum Vitae (CV) and International English Language Testing System (IELTS) exam results. The older one (Project link and New copyright policy.rar) seems to target product teams that are using zeplin.io.
The following shows the overall process flow when executing the malicious LNK file.
LNK file
The LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded compressed payload. Here is the list of commands that will be executed:
Copy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.
Copy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).
Look for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.
Decode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to “o423DFDS4.tmp”.
Decompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using “expand.exe -F:*” (Figure 3) .
Copy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.
Execute the JS file by calling Wscript.
Open the decoy document.
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and Control (C&C) configurations. Running each of them would show a different decoy document.
JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C server.
At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR and therefore completely stopped the attack.
Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C server.
At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR and therefore completely stopped the attack.
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C server.
At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR and therefore completely stopped the attack.
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C server.
At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR and therefore completely stopped the attack.
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C server.
At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR and therefore completely stopped the attack.
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C server.
At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR and therefore completely stopped the attack.
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and Control (C&C) configurations. Running each of them would show a different decoy document.
JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C server.
At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR and therefore completely stopped the attack.
Copy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.
Copy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).
Look for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.
Decode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to “o423DFDS4.tmp”.
Decompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using “expand.exe -F:*” (Figure 3) .
Copy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.
Execute the JS file by calling Wscript.
Open the decoy document.
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and Control (C&C) configurations. Running each of them would show a different decoy document.
JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C server.
At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR and therefore completely stopped the attack.
The LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded compressed payload. Here is the list of commands that will be executed:
Copy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.
Copy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).
Look for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.
Decode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to “o423DFDS4.tmp”.
Decompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using “expand.exe -F:*” (Figure 3) .
Copy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.
Execute the JS file by calling Wscript.
Open the decoy document.
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and Control (C&C) configurations. Running each of them would show a different decoy document.
JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C server.
At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR and therefore completely stopped the attack.
This post was authored by Hossein Jazi and Jérôme Segura
On May 29th, we identified an attack that we believe is part of a new campaign from an Advanced Persistent Threat actor known as Higaisa. The Higaisa APT is believed to be tied to the Korean peninsula, and was first disclosed by Tencent Security Threat Intelligence Center in early 2019.
The group’s activities go back to at least 2016 and include the use of Trojans such as Gh0st and PlugX, as well as mobile malware. Its targets include government officials and human rights organizations, as well as other entities related to North Korea.
In this latest incident, Higaisa used a malicious shortcut file ultimately responsible for creating a multi-stage attack that consists of several malicious scripts, payloads and decoy PDF documents.
Distribution
The threat actors used a malicious LNK file bundled within an archive file which was most likely distributed via spear-phishing.
We were able to identify two variants of this campaign that possibly have been distributed between May 12th and 31st:
“CV_Colliers.rar”
“Project link and New copyright policy.rar”
Both RAR archives bundle two malicious LNK files. In the newer variant (CV_Colliers.rar), the LNK files are disguised as a Curriculum Vitae (CV) and International English Language Testing System (IELTS) exam results. The older one (Project link and New copyright policy.rar) seems to target product teams that are using zeplin.io.
The following shows the overall process flow when executing the malicious LNK file.
LNK file
The LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded compressed payload. Here is the list of commands that will be executed:
Copy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.
Copy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).
Look for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.
Decode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to “o423DFDS4.tmp”.
Decompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using “expand.exe -F:*” (Figure 3) .
Copy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.
Execute the JS file by calling Wscript.
Open the decoy document.
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and Control (C&C) configurations. Running each of them would show a different decoy document.
JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C server.
At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR and therefore completely stopped the attack.
Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C server.
At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR and therefore completely stopped the attack.
Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C server.
At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR and therefore completely stopped the attack.
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C server.
At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR and therefore completely stopped the attack.
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C server.
At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR and therefore completely stopped the attack.
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C server.
At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR and therefore completely stopped the attack.
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C server.
At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR and therefore completely stopped the attack.
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and Control (C&C) configurations. Running each of them would show a different decoy document.
JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C server.
At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR and therefore completely stopped the attack.
Copy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.
Copy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).
Look for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.
Decode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to “o423DFDS4.tmp”.
Decompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using “expand.exe -F:*” (Figure 3) .
Copy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.
Execute the JS file by calling Wscript.
Open the decoy document.
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and Control (C&C) configurations. Running each of them would show a different decoy document.
JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C server.
At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR and therefore completely stopped the attack.
The LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded compressed payload. Here is the list of commands that will be executed:
Copy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.
Copy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).
Look for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.
Decode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to “o423DFDS4.tmp”.
Decompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using “expand.exe -F:*” (Figure 3) .
Copy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.
Execute the JS file by calling Wscript.
Open the decoy document.
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and Control (C&C) configurations. Running each of them would show a different decoy document.
JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C server.
At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR and therefore completely stopped the attack.
This post was authored by Hossein Jazi and Jérôme Segura
On May 29th, we identified an attack that we believe is part of a new campaign from an Advanced Persistent Threat actor known as Higaisa. The Higaisa APT is believed to be tied to the Korean peninsula, and was first disclosed by Tencent Security Threat Intelligence Center in early 2019.
The group’s activities go back to at least 2016 and include the use of Trojans such as Gh0st and PlugX, as well as mobile malware. Its targets include government officials and human rights organizations, as well as other entities related to North Korea.
In this latest incident, Higaisa used a malicious shortcut file ultimately responsible for creating a multi-stage attack that consists of several malicious scripts, payloads and decoy PDF documents.
Distribution
The threat actors used a malicious LNK file bundled within an archive file which was most likely distributed via spear-phishing.
We were able to identify two variants of this campaign that possibly have been distributed between May 12th and 31st:
“CV_Colliers.rar”
“Project link and New copyright policy.rar”
Both RAR archives bundle two malicious LNK files. In the newer variant (CV_Colliers.rar), the LNK files are disguised as a Curriculum Vitae (CV) and International English Language Testing System (IELTS) exam results. The older one (Project link and New copyright policy.rar) seems to target product teams that are using zeplin.io.
The following shows the overall process flow when executing the malicious LNK file.
LNK file
The LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded compressed payload. Here is the list of commands that will be executed:
Copy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.
Copy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).
Look for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.
Decode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to “o423DFDS4.tmp”.
Decompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using “expand.exe -F:*” (Figure 3) .
Copy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.
Execute the JS file by calling Wscript.
Open the decoy document.
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and Control (C&C) configurations. Running each of them would show a different decoy document.
JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C server.
At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR and therefore completely stopped the attack.
