- Short Summary: AhnLab SEcurity intelligence Center (ASEC) has identified a malicious MSC file exploiting Amazon services, leading to the distribution of malware that downloads and executes harmful files on user systems.
- Key Points:
- Malicious MSC files exploit a vulnerability in apds.dll.
- Payloads are inserted into the
section of the MSC file. - Malware downloads various files, including ‘msedge.dll’, from AWS S3.
- Normal PDF files are used as decoys to hide malware execution.
- Injected ‘dllhost.exe’ connects to external servers to download additional shellcode.
- Phishing emails are suspected as the distribution method for the malicious files.
MITRE ATT&CK TTPs – created by AI
- Execution (T1203):
- Exploitation of vulnerabilities in software to execute malicious payloads.
- Command and Control (T1071):
- Communication with external servers to download additional payloads.
- Persistence (T1547):
- Malware establishes persistence through various downloaded components.
- Defense Evasion (T1562):
- Using legitimate processes and files to hide malicious activities.
AhnLab SEcurity intelligence Center (ASEC) has discovered the distribution of malicious MSC file that is exploiting the Amazon service. The MSC extension has XML file format structure, and is executed by Microsoft Management Console (MMC).
The number of distribution has increased since the disclosure by the Elastic Security Labs on June 22nd. The two MSC files obtained this time contain payloads inserted into the <StringTables> section within the MSC file, which are triggered via a vulnerability in apds.dll. In July, a similar type was introduced in the AhnLab TIP’s exclusive content (ValleyRAT Being Distributed Through MSC Malware).
Figure 1. Internal code of MSC file
First case: When the file is run, various malicious files including ‘msedge.dll’ are downloaded to ‘C:UsersPublic’ from AWS S3 (object storage service), and runs a normal PDF file and ’Edge.exe’. It is difficult for the users to notice the execution of malware ‘msedge.dll’ since the normal PDF file is run.
Figure 2. MSC final payload (left), bait PDF file (right)
‘Edge.exe’ loads ‘msedge.dll’, and decrypts the ‘Logs.txt’ to create a shellcode. The ‘dllhost.exe’ is executed as a child process to inject the decrypted shellcode.
Figure 3. Creating child process
The injected ‘dllhost.exe’ connects to 152.42.226.161:88/ins.tg to download additional shellcode and executes it. Communication with ‘static.sk-inc.online:8443/etc.clientlibs/microsoft/clientlibs/clientlib-mwf-new/resources/fonts’ is attempted to download additional files, but further analysis couldn’t be done since the server was closed at the time of analysis.
Figure 4. Communication history
Second case: Similar to that of first case, multiple files are downloaded to ‘C:UsersPublic’ from AWS S3 (object storage service) and executes ‘oncesvc.exe’. But the ‘readme.docx’ file, which is assumed to be a bait file, could not be found.
Figure 5. MSC final payload
oncesvc.exe is a normal .NET program component, ‘dfsvc.exe’, which reads ‘oncesvc.exe.config’ file to download and run ‘hxxps://speedshare.oss-cn-hongkong.aliyuncs.com/af7ffc2a629a1c258336fde8a1f71e0a.json’ file.
The download json file is actually a DLL file, and the shellcode is download by decrypting the URL ‘hxxps://speedshare.oss-cn-hongkong.aliyuncs.com/2472dca8c48ab987e632e66caabf86502bf3.xml’ as AES. Afterwards, new thread is created to run the shellcode.
Figure 6. Internal code of DLL (json) file
Lastly, communication with Amazon cloud is attempted, but the returned data is unknown as the return value is currently NULL. If NULL is not returned, data is decrypted and new thread is created and executed.
Figure 7. Code that creates and runs new thread
The source of the file is unknown, but it is assumed that it was distributed via phishing e-mails. Thus, users must take caution when opening such emails.
Source : https://asec.ahnlab.com/en/82707/