Humorous Cyberattack References Drake’s Song in Malicious Script

Humorous Cyberattack References Drake’s Song in Malicious Script

  • The attacker ran an email-based campaign with a PowerPoint attachment that ultimately delivers malicious payloads.
  • The PowerPoint attachment contained a reference to a Drake song “In My Feelings.”

It seems a few hackers are trying new humorous ways of dumping malware. Now, a hacker who apparently enjoys Drake’s music used lyrics from the artist’s song “In My Feelings” in his malicious code while stealing data.

What did the researchers find?

A hacker with the handle “Master X” was found spreading his malware through PowerPoint scripts that contain a reference to Drake lyric’s “Kiki Do You Love Me.”

  • The attacker ran an email-based campaign with a PowerPoint attachment that ultimately delivers malicious payloads either Lokibot (the info stealer) or Azorult (a RAT).
  • Researchers have also shared a sample of the malicious emails dated January 6, 2020, indicating a Business Email Compromise (BEC) fraud attempt with a call to action in the subject line: “TT Remittance Advice”.
  • Two PowerPoint attachments contain the file names “INVOO13433361.pss” and “Blank slip.pss”.

A security analyst with AppRiver wrote in its blog that “Upon opening either of the PowerPoint attachments, it automatically runs a heavily obfuscated visual basic script.”

Malware behavior

Clicking on either of the files (“INVOO13433361.pss” and “Blank slip.pss”.) triggers a Visual Basic script.

  • The script uses Window’s native Microsoft HTML application host called “mshta.exe,” a Microsoft HTML executable that sends a request to Bitly link shortener.
  • It helps in circumventing browser defense controls to avoid detection.
  • In its first order of business, it uses a command-line task to kill Excel and Word apps.
  • Next, mshta.exe is used to reach plain-text sharing site Pastebin.com to retrieve an encoded script.

“It creates a scheduled task for mshta to reach out to a Pastebin URL every 60 minutes. This is where an encoded script is located and the URL it retrieves dictates whether the recipient ultimately receives the Lokibot or Azorult payload in our samples,” the researcher explained.

‘Keke’ Do You Love Me?

Once the hacker successfully pulls down the Pastebin code, it is translated into a PowerShell script that contains a reference to Drake’s “Kiki Do You Love Me” lyrics.

But, the fun fact here is that the hacker spells Kiki differently. In the PowerShell script, the hacker spells it “Keke” as in “Keke Do You Love Me”.

“This attacker ‘Master X’, retrieved from the metadata inside the PowerPoint, had a sense of humor when he was creating the invoke-expression cmdlet. ‘Master X’ also obfuscated the ‘DownloadString’ inside this PowerShell script below in another attempt to avoid defense solutions monitoring PowerShell activity,” the researcher noted.

The final stage

At last, the PowerShell script communicates with Paste.ee, another plain text sharing site, and downloads the code for a malicious executable named Calc.exe. “We can see this retrieved malicious executable file header when loading up the Paste.ee site,” as per the researcher. It’s unclear how successful this campaign has been so far.