Python Info-stealer Distributed by Malicious Excel Document | FortiGuard Labs

Affected Platforms: Microsoft Windows
Impacted Users: Microsoft Windows
Impact: The stolen information can be used for future attack
Severity Level: High

In January 2024, FortiGuard Labs obtained an Excel document distributing an info-stealer. From the fingerprints in this attack, it is related to a Vietnamese-based group that was first reported on in August 2023 and again in September. The attack stages before the info-stealer are simple downloaders that increase the difficulty of detection. This article introduces each stage in this attack and provides a glimpse into the world behind the malware campaign.

Infection Vector

Figure 1: Attack flow


Figure 1: Attack flow

Malicious Excel Document

The first stage of this attack is an Excel document with a VBA script that executes a PowerShell command to download a Windows Update.bat from filebin.net.

Figure 2: VBA script used in the first attack stage


Figure 2: VBA script used in the first attack stage

Windows Update.bat

Figure 3 is a screenshot of the Windows Update.bat, protected by the Abobus obfuscator. Obfuscations such as variables whose names contain non-English characters and “^” escape characters are inserted into the original code. Additionally, variable expansions (%variable:~start,length% )were used to replace the alphabet in the original code.

Figure 3: Windows Update.bat


Figure 3: Windows Update.bat

Figure 4 is the malicious part of the original code, which downloads and executes test.vbs in the next stage.

Figure 4: Deobfuscated Windows Update.bat


Figure 4: Deobfuscated Windows Update.bat

Test.vbs

Test.vbs is roughly the same as the middle stage of the campaign reported in August 2023. It downloads three files:

script.py

Information stealer.

Document.zip

Python 3.11 with libraries for script.py.

bypass.vbs

Executes script.py with the downloaded Python.

Script.py is obfuscated by PyObfuscate, which means it needs extra modules to be executed properly. Document.zip is downloaded to solve this problem.

In addition, test.vbs creates a value named “WinUpdater” within the registry key HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun to automatically run bypass.vbs when the victim logs in.

Figure 5: Script.py before deobfuscation


Figure 5: Script.py before deobfuscation

Script.py – The info-stealer

Unlike the info-stealer described in the August 2023 report, script.py only collects browsers’ cookies and login data. It extracts data from a wide range of browsers, from familiar browsers such as Chrome and Edge to browsers focused on the local market, like the Cốc Cốc browser.

Figure 6: Extracting victim information from SQLite database


Figure 6: Extracting victim information from SQLite database

The collected data is compressed into a zip file, which will be sent to the attacker’s telegram bot with a message containing the date, victim’s country, IP address, language, password count, and cookie count.

Figure 7: Script.py sends user information to the attacker's telegram bot


Figure 7: Script.py sends user information to the attacker’s telegram bot

Furthermore, a watermark in the message sent to the bot links to a telegram channel that provides hacking tools and sensitive information. Though it is not directly relevant to this campaign group, it still gives a fresh example of how stolen information is spread.

Figure 8: Screenshot of the telegram channel


Figure 8: Screenshot of the telegram channel

Abused Open Platforms

As we mentioned, many stages of this attack are downloaded from an open platform. This gives us a chance to gather more information about this hacker group.

Figure 9: The GitLab repository accessed by the middle stage of the attack


Figure 9: The GitLab repository accessed by the middle stage of the attack

Apart from the files in the infection vectors, files sharing several commonalities with this campaign were also uploaded. For example, obfuscated batch files and VBScript files executing PowerShell code whose code is identical to Windows Update.bat and test.vbs. From those downloaders, we found more repositories related to this hacker group.

Figure 10: A middle stage that has almost the same code as test.vbs except for the download link


Figure 10: A middle stage that has almost the same code as test.vbs except for the download link

In addition, there is malware probably used in other campaigns loaded on the repositories, including XWorm, VenomRat, RedLine, etc.

New Campaign

We also found clues to another campaign from the telegram bot that receives the victim’s information. As Figure 10 shows, the threat actor cheated the victim into enabling macros in a Word document named “done 300coki.docm.”

Figure 11: A part of a screenshot from the chat history of the telegram bot.


Figure 11: A part of a screenshot from the chat history of the telegram bot.

Though we couldn’t obtain the file named in Figure 10, the file name dropped a hint that they used cookies as a lure. Moreover, we found another Word document containing Facebook cookies and a malicious macro in the chat history.

Figure 12: Another Word document from the bot.


Figure 12: Another Word document from the bot.

Like the Excel document we mentioned previously, the macro downloads an obfuscated batch file, which downloads the next stage of the attack. However, the infection vector was divided into more pieces, as Figure 12 shows.

Figure 13: Attack flow of a new campaign


Figure 13: Attack flow of a new campaign

The dll files are extracted from image files. The data is base64-encoded and appended to a jpg file.

Figure 14: The picture and appended data


Figure 14: The picture and appended data

The payload is XWorm, which we also found variants of on the GitHub repositories mentioned in the Abused Open Platforms section.

Conclusion

The threat actors separate the malware campaign into several simple downloaders and use open platforms to avoid detection. However, this also provided clues to identify the hacker group. From the information left in the files, we also found files abused in other campaigns and the SNS platforms being abused to distribute malware. Such services not only provide a convenient environment for people but are commonly used by threat actors.

Fortinet Protections

The malware described in this report are detected and blocked by FortiGuard Antivirus as:

VBA/Agent.ZCI!tr
MSIL/Injector.UWS!tr
VBA/Agent.4C99!tr.dldr
VBS/Agent.HLI!tr

FortiGate, FortiMail, FortiClient, and FortiEDR support the FortiGuard AntiVirus service. The FortiGuard AntiVirus engine is a part of each of those solutions. As a result, customers who have these products with up-to-date protections are protected.

The FortiGuard CDR (content disarm and reconstruction) service can disarm the malicious macros in the document.

We also suggest that organizations go through Fortinet’s free Fortinet Certified Fundamentals (FCF) in cybersecurity training. The training is designed to help end users learn about today’s threat landscape and will introduce basic cybersecurity concepts and technology.

FortiGuard IP Reputation and Anti-Botnet Security Service proactively block these attacks by aggregating malicious source IP data from the Fortinet distributed network of threat sensors, CERTs, MITRE, cooperative competitors, and other global sources that collaborate to provide up-to-date threat intelligence about hostile sources.

If you believe this or any other cybersecurity threat has impacted your organization, please contact our Global FortiGuard Incident Response Team.

IOCs

Git repository

gitlab[.]com/anhducratsilver
github[.]com/Akabanwa-toma
github[.]com/osmosieucapvippro
github[.]com/NHTBOT
github[.]com/1nuhongio

IPs

65[.]0[.]50[.]125
103[.]85[.]247[.]61
74[.]222[.]9[.]95
103[.]82[.]26[.]41
103[.]48[.]85[.]6

Files

d897376e35ace588d386b9fff1ba65277172571f5d0af90f371413380996e1e4
70e77806d5bec502c66ef9c3ce9d0cc9294f965b15a33cf8b180749171d5b710
eb64896197045b6897a141781171294d20e09a7172d8de978da09b958b2bc1d4
e428edefeffb76e649961f9b25df39fdcc5c0b52b29775c012bb58d47ef88beb
736f49f37da9a93ef79178344e46ea9fe98dbbf1bb8d2b06da232b0dd7fc4a4c
b83c0c12fcc7b81b423cc30e9ec192ee913b309db30980442203121f6e69cfd0
09b9251e1b459b632dedeb23a0ce985b261b30ac8938036dbb4c93ea1ef8199b
e78bd2a56e5e7b1c5305724bb171c69df21b6a5fef83ccd89e88d16bb1be79b9
b33b10a686db213ca3253f55133a15e83262f6fc45506b425e46f972dfadb39e
acbed913a5e14c724293bb48af87ca012202ae8c7c3b2df1b4aa077924414efb
d36af2c9097b9c718e035d345ad20c38c3ce66b63827d2c2b24cc3235b6eb709
52575032c7eb4b3816b0e8a57ee4ea1cf19aacb32c3e2f96b8a891fe4ba2bcac

Source: Original Post


“An interesting youtube video that may be related to the article above”