DownEx malware

Today, hackers are constantly optimizing their attacks. It is necessary to take a look at the concepts they have developed as companies and critical infrastructure providers also become potential victims of sophisticated attacks when they reach serial maturity.

The DownEx malware campaign is an example of how skilled hackers are in developing their malicious tools and carrying out targeted attacks.

Even in recent years, the most sophisticated cyberattacks can begin with a simple phishing email.

Experts discovered DownEx at the end of 2022. The target of the attack was foreign government agencies in Kazakhstan, from which the hackers wanted to steal information.

The targeted phishing campaign early on showed how targeted the attackers were. They pretended to be real diplomats. Information about possible victim-recipients points to a group operating with government assistance. However, the attacks could not be attributed to a specific entity.

The key to the origin of the attackers is a hacked bilingual version of Microsoft Office 2016 “SPecialisST RePack” or “Russian RePack by SPECialist”, which is currently widespread in Russian-speaking countries. Also, the fact that cybercriminals have a backdoor written in two languages points in one geographic direction: a similar practice is known from the Russian group APT28 and its Zebrocy backdoor. However, the reliability of this information has not been proven.

Social engineering for targeted search of recipients

The social engineering groundwork carried out by the hackers remains unclear. One thing is clear: even this year, sophisticated attacks will often start with phishing.

Although the attackers likely researched the target group through their contacts and provided content relevant to them, the complex attack began – as is often the case – with a very simple email.

The authors of the spear phishing email used a relatively simple executable file disguise using an icon and a .docx file. The only disguise: the attached file did not have a double file extension. Cyber systems usually recognize such an extension as a suspicious practice.

The executable extracts two pieces of data: the Word document is unremarkable and appears to only serve to keep the victim away from suspicion while the actual script runs in the background.

The second file was an HTA (HTML Application) file. It was also a camouflage pattern without the usual extension. Its embedded VBscript, HTML, CSS or JavaScript codes can be run as a separate application on the Windows operating system.

Distribution of command and control tasks (C2)

To establish a communication loop with the C2 infrastructure, the attackers used a Python-based backdoor. Their obfuscated script was difficult to parse: PyArmor's Python-based obfuscation tool protects scripts from reverse engineering and manipulation.

The attackers also protected the associated compiled Pytransform.pyd module (essentially a DLL file used by a Python script) from reverse engineering using the Themida software protection program. Attackers also used other obfuscation techniques, including opcode mixing.

As a result, generated a 2048-bit long RSA public-private key pair on the victim's system. The command and control server received the public key via POST with the following key-value pairs.

The central command and control server responded with valid Python code to set the client ID for the victim system as a persistent ID.

The C2 server then forwards the specific tasks that needed to be completed on the compromised computer. Data exfiltration tasks received a single identification number. It appears that this is an additional and global value for all victims of the campaign.

The highest task ID identified by security researchers was 115880. This means that cybercriminals sent more than 100,000 tasks to victims.

While observing a specific attack, security experts were able to observe four tasks that themselves constitute a basic arsenal for exfiltration:

A3 — DOWNLOAD_LIST: Remove files with certain extensions from the directory. This task retrieves only files that have been modified in the last N days. N is a hard-coded value. The task sends data externally in zip archives, the size of which is limited to 16 MB. If necessary, hackers use multiple archives. The victim sends a list of matching files to the C2 server, including information about the full path, created size, and last modified date of the deleted file.

A4 — DOWNLOAD_AND_DELETE_LIST: This task additionally deletes files stolen from the site. Presumably, the attackers wanted to delete data generated by other malware and its tasks. Hackers destroy their traces.

A6 — SCAN_LIST: similar to task A3. The task reports duplicate files without sending them multiple times. This way, hackers avoid duplicates and reduce the amount of data when transmitting the collected data.

A7 — SCREENSHOT: This task downloads a screenshot from a hacked computer.

Targeted data search

Hackers have used a variety of recent malware written in C++. The attackers saved the executable file diagsvc.exe in the C:\\ProgramData\\Programs folder, which did not raise any particular suspicion. It was designed to allow unauthorized data leakage. All collected scripts accessed the same C2 server.

After execution, DownEx begins a recursive analysis of local and network drives and collects files with certain extensions: .doc, .docx, .rtf, .xlsx, .xls, .pdf, .ppt, .pptx, .~tm, .bmp, .rar , .jpg, .odt, .p12, .heic, .enc, .jpeg, .tiff, .tif, .zip, .crf, .enc, .cr, .lhz, .pem, .pgp, .sbx, .tlg.

The attackers were clearly interested in sensitive files such as .pgp (Pretty Good Privacy) or .pem (Privacy Enhanced Mail), but also had an interest in financial data such as QuickBooks journal files (.tlg extension).

A ZIP archive was used for exfiltration. The uncompressed data size was limited to 30 MB for each archive. If necessary, several archive files are created. To limit the amount of data, DownEx saved checksums of already deleted files (CRC) to avoid duplication. The malware sends archives to the command and control server via a POST request.

Another VBScript-based version of DownEx, identical to the C++ version, acted as a fileless attack solely in memory and never on any of the attacked media. Such attacks are difficult to detect.

Optimized data delivery requires comprehensive protection

DownEx illustrates the sophistication and professionalism of modern cyber attacks. Cybercriminals are working hard to make their attacks more effective, less noticeable, and more versatile. To detect and prevent such campaigns, authorities and companies need a combination of advanced cybersecurity technologies.

Protections such as advanced malware detection with machine learning that can identify malicious scripts, email filtering, sandboxing to detonate suspicious files, network protection that can block C2 connections, and detection and protection beyond actual endpoints points and with the help of external security analysts - part of the modern defense toolkit.

Mainton Company - custom software development and testing, SEO and online advertising since 2004.