New GZipDe malware spotted serving up Metasploit backdoor

Security researchers have discovered a new malware strain dubbed GZIpDe that appears to be a part of a targeted cyberespionage campaign and drops a Metasploit backdoor. According to AlienVault researchers, the malware was detected after a user from Afghanistan uploaded a weaponized Microsoft Word document on VirusTotal.

"Although the final goal seems to be the installation of a Metasploit backdoor, we found an interesting .NET downloader which uses a custom encryption method to obfuscate process memory and evade antivirus detection," AlienVault researcher Jose Manuel Martin wrote in a blog post.

The malicious decoy document embedded with macro malware that contained text taken from an article published in May about the next Shanghai Coorperation Organization Summit. If opened, a Visual Basic script stored as a hexadecimal stream is executed that runs a new task in a hidden Powershell console. A PE32 executable is downloaded which drops the GZipDe malware.

The payload contained shellcode that contacts the server which is currently offline. Researchers said Shodan happened to index the server and recorded it serving a Metasploit payload.

"It contains shellcode to bypass system detection and a Meterpreter payload - a capable backdoor," researchers noted. "For example, it can gather information from the system and contact the command and control server to receive further commands."

The shellcode also loads the entire DLL into memory, allowing it to operate without writing information into the disk in an operation named Reflective DLL injection. The attacker can then drop any payload to gain elevated privileges and move laterally within the local network.

This shellcode loads the entire DLL into memory, so it’s able to operate while writing no information into the disk. This operation is called Reflective DLL injection. From this point, the attacker can transmit any other payload in order to acquire elevated privileges and move within the local network.

Cybercriminals are increasingly opting for ready-made, available tools such as Metasploit or Cobalt Strike rather than custom malware for targeted attacks. It is still unclear who is behind the GZipDe malware and what their end goal is.

"We’ve only seen one sample of the malware," AlienValt security researcher Chris Doman told Bleeping Computer. "It seems very targeted. Given the decoy document is in English and uploaded from Afghanistan, it may have been targeting someone in an embassy or similar there."