Keypoints
- The initial vector was a malicious Word document (MyCv.doc) containing hidden macros that drop a .NET payload named Menorah.exe.
- The macro creates a scheduled task named “OneDriveStandaloneUpdater” to persist by executing Menorah.exe from %ALLUSERSPROFILE%Office356.
- Menorah fingerprints the host (MachineNameUsername → MD5 → XOR with a hardcoded string → Base64) and sends that fingerprint to a hardcoded C2: tecforsc-001-site1.gtempurl.com/ads.asp via HTTP.
- The backdoor supports executing commands, listing directories/files, uploading specified files, and downloading files from the C2 (commands like +sp, +f1, +dn).
- The sample includes sandbox-evasion logic (requires a specific execution argument) and added obfuscation for C2 traffic (hashing and Base64 encoding) to reduce detection.
- Two SHA256s are provided as IOCs and detections label the samples as variants of SideTwist (Trojan.W97M.SIDETWIST.AB and Trojan.MSIL.SIDETWIST.AA).
MITRE Techniques
- [T1566.001] Spearphishing Attachment – The campaign begins with a malicious document used in a targeted phishing attack that drops the payload (‘malicious document dropping a hardcoded malware’).
- [T1204.002] User Execution: Malicious File – The Word document contains hidden macros that execute when opened to drop the .NET malware (‘hidden macros responsible for dropping a .NET malware’).
- [T1053.005] Scheduled Task/Job – The macro creates a scheduled task named “OneDriveStandaloneUpdater” to run Menorah.exe for persistence (‘creates a scheduled task named “OneDriveStandaloneUpdater” to execute the Menorah.exe malware’).
- [T1083] File and Directory Discovery – The backdoor can enumerate directories and files on the compromised host (‘list directories and files, upload selected files from the compromised system’).
- [T1041] Exfiltration Over C2 – Menorah can upload specific files to its command-and-control server (‘Malware will upload a specific file to the C&C server’).
- [T1071.001] Application Layer Protocol: Web Protocols – Communication with C2 uses HTTP to a hardcoded URL for command exchange (‘http[:]//tecforsc-001-site1[.]gtempurl.com/ads.asp’).
- [T1027] Obfuscated Files or Information – The malware hashes, XORs, and Base64-encodes identifiers and C2 payloads to obscure traffic (‘MD5 hash … XOR with a hardcoded string and encoded in Base64’).
- [T1497] Virtualization/Sandbox Evasion – Execution checks for a specific argument and terminates if absent to avoid analytic/sandbox environments (‘In the absence of the specified argument, the malware will terminate and stop its execution’).
- [T1059.003] Command and Scripting Interpreter: Windows Command Shell – The backdoor can execute shell commands received from the C2 (‘Malware will receive a command and execute it on the compromised system’).
Indicators of Compromise
- [SHA256] payload hashes – 8a8a7a506fd57bde314ce6154f2484f280049f2bda504d43704b9ad412d5d618, 64156f9ca51951a9bf91b5b74073d31c16873ca60492c25895c1f0f074787345
- [URL] C2 domain – hxxp://tecforsc-001-site1[.]gtempurl[.]com/ads.asp (hardcoded C2 used for HTTP communication)
- [File names / artifacts] malicious document and payload – MyCv.doc (malicious lure), Menorah.exe (dropped .NET backdoor), scheduled task ‘OneDriveStandaloneUpdater’ (persistence)
- [Detections] vendor labels – Trojan.W97M.SIDETWIST.AB, Trojan.MSIL.SIDETWIST.AA (used to identify the samples)
The technical infection chain begins when the victim opens MyCv.doc, a phishing lure containing hidden VBA macros. Those macros perform string decoding and drop a .NET executable (Menorah.exe) into %ALLUSERSPROFILE%Office356, then create a scheduled task named “OneDriveStandaloneUpdater” to execute the binary for persistence.
At runtime Menorah enforces an execution-argument check to evade analysis, builds a unique host fingerprint by concatenating machine name and username, computing an MD5 hash, XOR-ing with a hardcoded string and Base64-encoding the result, and sends that fingerprint via HTTP to the hardcoded C2 (tecforsc-001-site1.gtempurl.com/ads.asp) on a 32-second timer. The C2 response is expected as an encrypted Base64 message which, when decoded and split, drives commands that allow remote shell execution, directory/file listing, file upload (+dn), and file download.
Static analysis confirms the backdoor’s primary commands and behaviors (execute commands, list files, upload/download files) and shows added evasion/obfuscation compared to earlier SideTwist variants; two sample hashes and vendor detections are provided to support hunting and blocking.
Read more: https://www.trendmicro.com/en_us/research/23/i/apt34-deploys-phishing-attack-with-new-malware.html