. home.aspx



New Encrypted Downloader Delivers Metasploit Backdoor

June 22, 2018 / Ionut Arghire

A series of cyber-attacks targeting the Middle Eastern region use an encrypted downloader to deliver a Metasploit backdoor, AlienVault reports. The attacks start with a malicious document containing parts of an article about the next Shanghai Cooperation Organization Summit, originally published at the end of May on a Middle Eastern news network. The Office document contains malicious macro code designed to execute a Visual Basic script (stored as a hexadecimal stream) and launch a new task in a hidden Powershell console. This attack stage is meant to serve a .NET downloader that uses a custom encryption method to obfuscate process memory and evade antivirus detection. Dubbed GZipDe, the downloader appears based on a publicly available reverse-tcp payload to which the malware author added a new layer of encryption payload. “It consists of a Base64 string, named GZipDe, which is zip-compressed and custom-encrypted with a symmetric key algorithm, likely to avoid antivirus detection...