In 2022, Bitdefender Labs encountered a highly targeted cyberattack campaign that was launched using a new sophisticated malware, dubbed DownEx. While much information about the malware was not available at that time, researchers could collect details lately after it was used in a cyberespionage attack against Afghanistan.
What has been found?
Based on the level of sophistication and nature of the target, it is believed that the malware is the work of APT28 (aka Fancy Bear), a Russian state-sponsored group.
- The attack chain begins with spear-phishing messages that use diplomat-theme lures, such as ‘! to embassy kazakh 2022.exe’ to entice targets.
- The phishing message includes malicious executable files posing as a Microsoft Word document.
- Once the executable files are unpacked on the victim’s systems, two additional files are downloaded, which further enable the execution of DownEx malware in the final stage.
- To establish communication, threat actors deployed a Python-based backdoor ‘help.py’.
Unwrapping DownEx malware
DownEx is a C++-based malware, which does not share any code similarities with previously known malware families.
- One clue points to the use of a cracked version of Microsoft Office 2016 in the campaign, an attack tactic previously used by Fancy Bear.
- In addition to the C++ version, researchers also spotted a VBScript-based version of the malware used in a fileless malware attack.
- DownEx is primarily designed to collect confidential and financial data from files with specific extensions such as .doc, .docx, .rtf, .xlsx, .xls, .pdf, .ppt, and .pptx. Once information is collected, the files are exfiltrated using a password-protected zip archive.
Conclusion
An up-to-date and complete list of IOCs associated with the DownEx malware attack campaign is available to help organizations and security experts detect malicious activity early in the attack sequence. Additionally, organizations can also implement advanced malware detection and email filtering techniques to detect, block, and respond to threats at the initial stage.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/7afb_shutterstock_2264055043.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/dbda_shutterstock_2048016017.jpg)
