Threat Research

Green Stone – InQuest

Securonix

Two-sentence summary: A newly identified family of malicious documents from Iran, dubbed Green Stone, embeds an executable payload (nvidiax.exe) delivered via a macro and executes it after unpacking from base64-encoded content. The malware hides itself, gathers system information, and uses a Telegram bot as its C2 channel, with commands and indicators documented by InQuest Labs.
#GreenStone #Tavangoostar #NvidiaGraphic #TelegramBot #Iran #InQuestLabs

Keypoints

  • The Green Stone family refers to a set of malicious documents uploaded from Iran containing embedded executables.
  • The macro decodes and unpacks an executable (nvidiax.exe) into a temporary directory and runs it.
  • To conceal itself, the malware copies itself to a directory such as %USERPROFILE%AppDataRoamingNvidiaGraphic{274f2f-20k-5522-ba37-91401alac280}taskshost.exe.
  • It accesses the registry to read recently visited Internet resources via HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerTypedURLs.
  • The program checks Internet connectivity by calling ping.exe (e.g., ping -n 1 www.google.com).
  • It collects system information, takes screenshots, and sends data to a remote server, using a Telegram bot for command-and-control.
  • Commands exposed via the Telegram bot include a wide set (e.g., $sdir, $fdir, $run, $get, $put, $pic, $copy).

MITRE Techniques

  • [T1204.002] User Execution: Malicious File – The macro unpacking and execution of a payload is described as: “When analyzing the macro, we will see functions that unpack the executable file (nvidiax.exe) into a temporary directory and then run it.”
  • [T1027] Obfuscated/Compressed Files and Information – The payload is encoded in base-64 with a reverse function: “the executable that is encoded in base-64 plus a reverse function.”
  • [T1012] Query Registry – The program accesses registry sections to retrieve recently visited resources: “HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerTypedURLs”.
  • [T1059.003] Windows Command Shell – The malware checks connectivity by invoking ping: “Calling ping.exe on the google.com page.”
  • [T1113] Screen Capture – The program “takes a screenshot of the screen” as part of data collection.
  • [T1071.001] Web Protocols – C2 via Telegram bot: “the program uses a telegram bot” to exchange commands with the attacker.

Indicators of Compromise

  • [Hash] Hashes – 6e7711307e375ae3b7fe5e16da1c3557dbf220be7a66d24160f98e2053105cd9, 9cbbea3dc408ebb5d037f1c904f5445c2e7b71ebfa50d4897b57222bb86a3426, and 5 more hashes
  • [URL] URLs – http://185.162.235.184/mh/ftp/tel2.php?url=setadpUteg/keTINBR6pOws_iCm0ohbNI8aJbVqmqKCGAA:3714166455tob, http://185.162.235.184/favicon.ico, and 2 more URLs
  • [File] File Names – nvidiax.exe, taskshost.exe, and other related artifacts

Read more: https://inquest.net/blog/2022/07/27/green-stone