Bitdefender uncovered DownEx, a newly identified espionage malware family targeting Central Asia (Kazakhstan and Afghanistan) with a data-exfiltration focus and a multi-stage attack chain. The operation combines spear-phishing, a disguised Word document launcher, an HTA/VBScript component, a Python-based C2 backdoor with heavy obfuscation, network discovery, and encrypted exfiltration of sensitive files. #DownEx #APT28 #Zebrocy #Kazakhstan #Afghanistan #net-certificate.services
Keypoints
- DownEx is a newly identified malware family used in targeted campaigns in Central Asia with data-exfiltration objectives.
- Infection likely began with spear-phishing emails delivering a disguised executable named “! to embassy kazakh 2022.exe” via a Word document icon.
- The loader extracts two components; the Word document is a decoy and the second is an HTA file with embedded VBScript written to run in the background.
- The infrastructure includes a Python-based backdoor (help.py) with RSA/AES key exchange and heavy obfuscation (PyArmor and Themida) to hinder analysis.
- Discovery tools (wnet.exe and utility.exe) enumerate network resources using Windows Networking API to support lateral movement.
- DownEx uses a multi-stage C2: tasks are delivered via JSON over HTTPS POST to a C2 domain/IP, including exfiltration of documents into password-protected ZIP archives.
- A fileless VBScript variant downloaded via slmgr.vbe indicates memory-resident operation and flexible payload delivery.
MITRE Techniques
- [T1566.001] Phishing – The spear-phishing email delivers a malicious payload disguised as a Word document; “The attachment file did not use double-extension … and was simply named ‘! to embassy kazakh 2022.exe’.”
- [T1036] Masquerading – The attack used a simple technique of using an icon file associated with .docx files to masquerade an executable file as a Microsoft Word document.
- [T1059.005] VBScript – HTA file with embedded VBScript code used for execution, since “HTA stands for ‘HTML Application’ … VBscript code that can be executed as a standalone application.”
- [T1027] Obfuscated/Compressed Files and Information – The Python backdoor was protected by PyArmor and the compiled module was protected by Themida with multiple obfuscation techniques including opcode mixing.
- [T1071.001] Web Protocols – The C2 communication involves POST requests to the C2 server (e.g., the public key exchange to https[:]//net-certificate.services:443) for tasking and control.
- [T1560.001] Archive Collected Data – Files are archived into password-protected ZIP files before exfiltration.
- [T1041] Exfiltration Over C2 Channel – Exfiltration to the C2 server via POST to http[:]//84.32.188[.]123/hftqlbgtg.php.
Indicators of Compromise
- [MD5] 1e46ef362b39663ce8d1e14c49899f0e, bb7cf346c7db1c518b1a63c83e30c602, and other 14 hashes
- [File name] wnet.exe, utility.exe
- [Domain] net-certificate[.]services
- [IP] 139.99.126[.]38, 84.32.188[.]123
- [URL] https[:]//net-certificate.services:443, http[:]//84.32.188[.]123/hftqlbgtg.php
- [File path] C:UsersAppdataLocalTemp! to Embassy kazakh 2022.doc, C:ProgramDataUtilitylog