Cisco Talos has spotted a coordinated series of cyber attacks spanning from January to April 2019 infecting victims with malware designed to harvest credentials. What is interesting about this campaign is the use of malicious tools build with the freely available unrelated components hence the name “Frankenstein” given to the operation by the security researchers.
The Frankenstein campaign operators used the following open source components to build their malicious tools:
An article to detect when your sample is being run in a VM
A GitHub project that leverages MSbuild to execute a PowerShell command
A component of GitHub project called "Fruityc2" to build a stager
A GitHub project called "PowerShell Empire" for their agents
The researchers believe that the operators of the Frankenstein campaign are moderately sophisticated and highly resourceful. The reason for using open source tools is not only because they are free and readily available, but also because they let the hackers to improve their operational security and make harder to detect the malicious activity, while the custom tools leave unique traces that allow to link them to the tools' developers.
The attackers behind the Frankenstein campaign use various anti-detection techniques, including checking for running programs such as Process Explorer and if the infected machine was actually a virtual machine environment.
“The threat actors also took additional steps to only respond to GET requests that contained predefined fields, such as a non-existent user-agent string, a session cookie, and a particular directory on the domain. The threat actors also used different types of encryption in order to protect data in transit”, said the researchers.
To compromise victims’ computers the attackers used two attack vectors involving the distribution of trojanized Microsoft Word documents via email. In the first case the malicious document would download a remote template from the attacker-controlled website designed to run arbitrary code on the victim's machine using a Microsoft Office memory corruption vulnerability SB2017111412 (CVE-2017-11882) and gain persistence on the system as a scheduled task named "WinUpdate".
The second attack vector is another trojanized Word document which requires targets to enable macros to launch a Visual Basic script that checks for anti-malware analysis tools and if they are present and running on the system the script will stop execution.
After checking the host machine, the malware is gathering information such as the username, the machine name, the public IP address, the user privileges, the running processes, the OS version, and the SHA256 HMAC, and sends the stolen data to the C2 server via AES-CBC communication.
More detailed technical analysis of the campaign and Indicators of Compromise (IoCs) are available in Cisco Talos’ blog.