Keypoints
- Delivery: A Word document with auto-triggering VBA macros is used as the initial vector, social-engineered to appear from Nepali government sources.
- Macro obfuscation: VBA project is password-protected and macros use Chr() calls and string concatenation to evade static detection.
- Multi-stage dropper: VBA writes VBScript and batch files (e.g., OCu3HBg7gyI9aUaB.vbs, skriven.vbs, 8lGghf8kIPIuu3cM.bat) and creates a ZIP (conhost.zip) which contains conhost.exe.
- Payload: The dropped backdoor (conhost.exe) is written in Nim, runs with user privileges, and was likely compiled on 2023-09-20.
- Anti-analysis: The backdoor spawns cmd.exe to run tasklist.exe and exits if known analysis tools are detected.
- C2 and comms: Hostname is encrypted (key “NPA”), double-base64 encoded and appended to randomly chosen govnp domains with “.asp”; commands fetched via HTTP GET and results posted back.
- Persistence: A VBScript in the Startup folder and a scheduled task named “ConsoleHostManager” ensure recurring execution of the payload.
MITRE Techniques
- [T1204.002] User Execution: Malicious File – Office macro auto-trigger runs on enablement: ‘When the user clicks “Enable Content,” the auto-trigger routine (Document_Open) in the code will execute.’
- [T1027] Obfuscated Files or Information – VBA macros use obfuscation to evade static detection: ‘macros are obfuscated using the Chr( ) VBA function and string concatenation.’
- [T1547.001] Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder – Persistence via Startup folder VBScript: ‘OCu3HBg7gyI9aUaB.vbs (C:UsersAppDataRoamingMicrosoftWindowsStart MenuProgramsStartupOCu3HBg7gyI9aUaB.vbs)’.
- [T1053.005] Scheduled Task/Job – The campaign creates a scheduled task for persistence: ‘d.bat creates a scheduled task of the unpacked payload (conhost.exe)’.
- [T1059.003] Command and Scripting Interpreter: Windows Command Shell – The backdoor spawns command prompts and executes commands via cmd.exe: ‘spawns a command prompt to run tasklist.exe’.
- [T1059.005] Command and Scripting Interpreter: Visual Basic – VBA writes and executes VBScript files used in the execution chain: ‘creates a VBscript named “OCu3HBg7gyI9aUaB.vbs” that will serve as the chain trigger.’
- [T1057] Process Discovery – The backdoor lists running processes to detect analysis tools: ‘checks for any processes running from its list of known analysis tools.’
- [T1071.001] Application Layer Protocol: Web Protocols – Commands and responses are exchanged via HTTP GET to web-based C2 endpoints: ‘The command delivered by the C&C server is obtained through an HTTP GET request.’
- [T1105] Ingress Tool Transfer – The VBA assembles and writes a ZIP and drops executables and scripts to disk (conhost.zip → conhost.exe): ‘The resulting byte array is the actual ZIP file and is dropped to C:UsersAppDataLocalMicrosoftconhost.zip.’
Indicators of Compromise
- [File Hash – MD5] Document sample – e2a3edc708016316477228de885f0c39, and 3 more MD5 hashes
- [File Hash – SHA-1] Sample binaries – 3aa803baf5027c57ec65eb9b47daad595ba80bac, and 3 more SHA-1 hashes
- [File Hash – SHA-256] Payload/binaries – b5c001cbcd72b919e9b05e3281cc4e4914fee0748b3d81954772975630233a6e, and 3 more SHA-256 hashes
- [Domains] C2 hosts impersonating Nepali gov – mail[.]mofa[.]govnp[.]org, nitc[.]govnp[.]org, and 2 more govnp domains
- [File Names / Paths] Dropped files and scripts – conhost.exe (from conhost.zip), OCu3HBg7gyI9aUaB.vbs (Startup folder), 8lGghf8kIPIuu3cM.bat, and multiple chained .vbs/.bat scripts
The Word document is a VBA-driven multi-stage dropper: enabling macros triggers Document_Open which runs obfuscated VBA routines that assemble a ZIP from embedded decimal bytes and write multiple scripts and batch files to AppData. The VBA subroutines (sch_task, hide_cons, read_shell, vb_chain) create VBScript files (e.g., OCu3HBg7gyI9aUaB.vbs, skriven.vbs), a batch chain (8lGghf8kIPIuu3cM.bat → unzFile.vbs → unz.vbs → chaining .bat files), and the conhost.zip archive which contains conhost.exe; many strings and paths are split and concatenated to hinder static analysis.
The Nim backdoor (conhost.exe) executes under the current user context, performs an anti-analysis check by spawning cmd.exe to run tasklist.exe and exits if known analysis tools are present, then gathers the hostname, encrypts it (key “NPA”) using the bakery routine, double base64-encodes the result, appends it to randomly chosen government-impersonating C2 URLs with a “.asp” suffix, and fetches commands via HTTP GET. Fetched responses are decrypted by the confectionary routine, executed via cmd /c, and results are posted back; when available the sample contacted mail.mofa.govnp.org, nitc.govnp.org, mx1.nepal.govnp.org, and dns.govnp.org.
For persistence the dropper places a VBScript in the Startup folder which pings an external site to confirm connectivity before running the batch chain; the chain ultimately unpacks the executable and creates a scheduled task named “ConsoleHostManager” to relaunch the payload. Detection artifacts include the document and executable hashes listed above and the specific dropped filenames and startup/scheduled-task behavior.