SYNC-SCHEDULER : A DEDICATED DOCUMENT STEALER

Sync-Scheduler is a C++ document-stealer delivered via nested Office files: a PowerPoint embedded inside a Word document contains a Base64 payload in the slide title which VBA macros decode and schedule for execution. The dropper writes an executable (wword.exe), stages stolen files in AppDataRoamingOneDrive with renamed extensions, and exfiltrates them via HTTP POST to syncscheduler.com (146.70.157.120). #Sync-Scheduler #syncscheduler.com

Keypoints

Initial vector: Word document with an embedded PowerPoint that hides a Base64-encoded payload in the first slide title.
Password-protected VBA macros decode the Base64 string, write support.txt into C:~Microsoft365, and create a scheduled task to decode and run wword.exe.
wword.exe creates C:UsersAppDataRoamingOneDrive, enumerates user accounts, and searches Downloads, Desktop, and Documents for target file types.
Targeted extensions include .doc/.docx, .xls/.xlsx, .ppt/.pptx, .pdf, and .zip; files are copied to the OneDrive folder and renamed by replacing the dot with type-specific strings before exfiltration.
Exfiltration is performed via HTTP POST form-data to http[:]//syncscheduler[.]com/r3diRecT/redirector/proxy.php (resolving to 146.70.157.120); files are deleted from the staging folder after transfer.
Sync-Scheduler implements anti-analysis checks (debugger, VM/sandbox detection, hooked DLL checks) and terminates execution via FatalExit if analysis is detected.

MITRE Techniques

[T1027.009] Embedded Payloads – Malware hidden inside nested Office objects (PowerPoint embedded in Word) with payload stored in slide/page title; (‘base-64 encoded string as Page Title’)
[T1140] Deobfuscate/Decode Files or Information – VBA macros decode Base64 from the slide title into support.txt and reconstruct the executable; (‘writes this base-64 string into this file’)
[T1053.005] Scheduled Task – Macros create a scheduled task “windows_updates” to decode support.txt to wword.exe and execute it at a set time; (‘creates a scheduled task windows_updates that will run only once, and the start time will be 11:11’)
[T1059.003] Windows Command Shell – The scheduled task runs the decoded executable via a hidden command prompt shell; (‘execute it using the shell function in a hidden command prompt window’)
[T1564.001] Hidden Files and Directories – The dropper creates a hidden system folder C:~Microsoft365 to store payloads and support files; (‘creates a folder at “C:~Microsoft365” as a hidden system directory’)
[T1083] File and Directory Discovery – The malware enumerates users and searches Downloads, Desktop, and Documents for target file types; (‘starts querying for the files/folders in the User’s Downloads, Desktop and Documents directories’)
[T1041] Exfiltration Over C2 Channel – Staged files are uploaded to a remote server via HTTP POST form-data to the C2 URL; (‘form-data’ to the URL “http[:]//syncscheduler[.]com/r3diRecT/redirector/proxy.php”)
[T1071.001] Web Protocols – Uses HTTP(S) web protocols for C2 communication and file transfer; (‘attempts to establish a connection with the domain “syncscheduler.com” and sends the systems UID to C2’)
[T1622] Debugger Evasion – The binary checks for debuggers and analysis tools in memory and aborts if detected; (‘looks for the presence of various analysis tools, including debuggers’)
[T1497] Virtualization/Sandbox Evasion – The malware detects virtualized or sandboxed environments and exits to avoid analysis; (‘verifies if the specified DLLs are hooked to hide the analysis environment’ and triggers ‘FatalExit’)
[T1070.004] File Deletion – After successful transfer, the malware deletes the staged copy from the OneDrive folder; (‘after transferring the file to the C2 server, it is then deleted from the OneDrive folder’)

Indicators of Compromise

[MD5] Document and payload hashes – c1ab783d60cf05636eb4f72d17c6cf1d (China Navy First Training 2024(CN).docx), df6b768247a9cdb5607819c79f02099d (wword.exe)
[SHA-256] File hashes – 2027a5acbfea586f2d814fb57a97dcfce6c9d85c2a18a0df40811006d74aa7e3 (China Navy First Training 2024(CN).docx), 6e4a4d25c2e8f5bacc7e0f1c8b538b8ad61571266f271cfdfc14725b3be02613 (wword.exe)
[Filename] Samples observed – wword.exe (dropped payload), smsse.exe (older variant)
[Domain/URL] C2 endpoint – http[:]//syncscheduler[.]com/r3diRecT/redirector/proxy[.]php (used for file exfiltration)
[IP address] C2 hosting – 146[.]70[.]157[.]120 (resolves from the above URL)

The technical infection chain begins with a Word document embedding a PowerPoint file; the first slide’s title contains a long Base64 string (the PPT file title also holds a fragment). Password-protected VBA macros extract that string, write it to C:~Microsoft365support.txt, and create a scheduled task (“windows_updates”) set to run once at 11:11; the task decodes support.txt into an executable named wword.exe and launches it via a hidden cmd shell.

Once executed, wword.exe creates C:UsersAppDataRoamingOneDrive, enumerates local user accounts, and recursively searches Downloads, Desktop, and Documents for document filetypes (.doc/.docx, .xls/.xlsx, .ppt/.pptx, .pdf, .zip). For each file found it copies the file to the OneDrive staging folder, replaces the extension period with a type-specific string (e.g., .doc → X367, .pdf → X567), then uploads the staged file one at a time to the C2 server using HTTP POST form-data to http[:]//syncscheduler[.]com/r3diRecT/redirector/proxy.php (resolving to 146.70.157.120), deleting the staged copy after a successful transfer.

The binary includes multiple anti-analysis routines: it scans process memory for analysis tool strings, checks for hooked DLLs, and verifies virtualization/sandbox indicators; if analysis is detected it invokes a FatalExit to terminate execution. An older related sample (smsse.exe) shares the same C2 URL and broader file targeting, indicating iterative development and persistence of the campaign.

SHARE THIS STORY

WhatsApp X (Twitter)Telegram Bluesky Facebook LinkedIn Threads Email Print