New Encrypted Downloader Delivers Metasploit Backdoor

A series of cyber-attacks targeting the Middle Eastern region use an encrypted downloader to deliver a Metasploit backdoor, AlienVault reports. The attacks start with a malicious document containing parts of an article about the next Shanghai Cooperation Organization Summit, originally published at the end of May on a Middle Eastern news network. The Office document contains malicious macro code designed to execute a Visual Basic script (stored as a hexadecimal stream) and launch a new task in a hidden Powershell console. This attack stage is meant to serve a .NET downloader that uses a custom encryption method to obfuscate process memory and evade antivirus detection. Dubbed GZipDe, the downloader appears based on a publicly available reverse-tcp payload to which the malware author added a new layer of encryption payload. “It consists of a Base64 string, named GZipDe, which is zip-compressed and custom-encrypted with a symmetric key algorithm, likely to avoid antivirus detection,” AlienVault reveals. A new memory page with execute, read and write privileges is created, then a decrypted payload is executed. Courtesy of a special handler that controls process’ access to system resources, only one instance of the malware can run at the same time. Shellcode in the downloader connects to a server at 175.194.42[.]8 to deliver the final payload. The server wasn’t up during analysis, but it was previously recorded serving a Metasploit payload, the security researchers note. Metasploit has become a popular choice among threat actors, and was previously seen being used in targeted attacks associated with the Turla hackers.