A new multi-staged attack has been observed leveraging a malicious document spoofed to look like the Ukrainian state enterprise Energoatom, responsible for managing four nuclear power plants in Ukraine. It uses the Havoc C2 framework, the open-source post-exploitation toolkit, to deliver multiple payloads at different stages.
What has been revealed?
Researchers from FortiGuard Labs have shared the details of malicious document used, the evasion techniques and other strange artifacts used by the attackers. The activity is still under development or is a subset of some red-team exercise.
The malicious document is sent via an ISO image archive, with the same name as the file itself.
To open the document, protected by the Ukrainian document management software M.E. Doc, users are urged to enable Word’s macro code execution.
Once macro is enabled, the overlay image disappears, showing a list of people authorized to receive protective equipment. However, a lot of malicious activities start executing in the background.
Multi-stage payloads
The malware checks for the existence of the file OfficeTelemetry.dll at a specific path on the system. Based on its existence, the next stage payloads are retrieved.
If the OfficeTelemetry.dll file exists, it is executed. This file appears to be a DLL, however, is a standalone executable file.
Upon execution, it locates a compressed payload in memory, performs further cleanup tasks to obtain another payload, and executes it using ShellExecute.
The second stage comprises shellcode with appended Havoc C2 agent DLL. The shellcode looks for the payload in memory and calls a loader, named KaynLdr.
KaynLdr further loads the Havoc Demon agent that communicates with the C2 server for further actions. The entire code is protected by several layers of obfuscation.
Evasion tactics - anti-debug tricks
To make the analysis complex, the VBA code used in the macro comprises several interesting techniques, which even crash the debugger and result in several errors with malware analysis tools (oletools).
When run using oletools, the file results in several errors, most of which prompt that some stream files have been defined in the code, but files could not be found in the archive.
When the file is decompressed to a stream inside the file, the tool reports an error regarding an incorrect file signature.
The primary infection function is executed using the Application.OnTime function, which is commonly used to schedule VBA procedures for execution at a specific time.
Ending notes
The use of multiple creative ways to hide the actual payload code and evade detection indicates that even after infection, developers get an ample amount of time to complete post-exploitation activities. Moreover, the use of Havoc framework complicates the analysis. To stay protected, experts suggest implementing a proactive approach, including the use of a threat intel platform.