CyberThreatIntel/Pakistan/APT/Gorgon/23-08-19/Malware analysis 25-08-19.md

Malware analysis on Gorgon APT campaign (23-08-19)

Table of Contents

• Malware analysis
  • Initial vector
  • First stage
  • Second stage
  • Loader + Frombook
  • Cyber kill chain
• Cyber Threat Intel
• IOC
• References MITRE ATT&CK Matrix
• Links
  • Original Tweet
  • Link Anyrun
  • Ref previous analysis

Malware-analysis

Initial vector

Use a document with a macro as initial vector. On the code of the macro, some functions with differents names are used with the same code inside for obfuscate and make more harder the analysis.

Use in more at the function, strReverse for reverse the data. Finally, combine it and execute it with a Shell request.

This use mshta command for download and execute the external content. The bitly URL go on the pastebin share and is the first stage.

First stage

The first stage executed on the computer is a js script who use nested unescape (3 times).

At the 3th layer, we can see a vb script using some obfuscating methods (StrReverse, splited variables, multiples Wscript objects)

Finally, the script kills the word, excel, publisher and powerpoint instances, add a persistence for re-executes this script for reinfecting the computer and create two schedule task for the second stage and close the hidden window. The persistence by Run key can look like useless but it used like an updating vector for change the TTPs or executing a kill switch on the operation.

Second stage

The first pastebin use too a js script with with 3 layers of unescape and the previous obfuscating methods.

we can observe two additionnal requested pastebin links, the first use the LoadWithPartialName funcion by Reflection Assembly in NET framework for download and execute raw hex data in memory, in addition, this execute an array of byte of the PE downloaded by a hijack of the calc program. The second pastebin link close the hidden window.

Loader + Frombook

Loader

The loader have one layer of obfuscation in using the getstring method for have the command and the data of the future dll.

After this replace the caracters %_ by 0x with the replace function for get a valid array of hex bytes and execute it in memory.

The dll is protected with the ConfuserEx (1.0.0.0) protector, we can see the escaped caracters and the reference module.

References MITRE ATT&CK Matrix

List of all the references with MITRE ATT&CK Matrix

Enterprise tactics	Technics used	Ref URL

Indicators Of Compromise (IOC)

List of all the Indicators Of Compromise (IOC)

Indicator	Description
	IP C2
http[:]//	URL request
	Domain C2

This can be exported as JSON format Export in JSON

Links

• Original tweet: https://twitter.com/Rmy_Reserve/status/1164405054746460161
• Anyrun Link: IMG76329797.xls
• Docs :

• Gorgon analysis by Unit42
• The Evolution of Aggah: From Roma225 to the RG Campaign