Threat-researchers at CyberHUB-AM, with the support from Internews’ Martijn Grooten, are tracking a Remote Access Trojan targeting the Armenia International Airports and Armenian State Bodies. The attack was first identified by a Singapore-based cybersecurity researcher – Zhixiang Hao.
The malware is embedded within an MS Word document, which is presented as an official warning message from Armenia’s National Security Service, and employs VBA Macro code and powershell script to gain foothold in the system.
This report provides an in-depth analysis of the malware, its functionality, and associated indicators of compromise (IOCs) to enable effective threat mitigation.
We have published a separate paper with more technical data, which would be of interest to technical researchers.
Attack Overview
Malware Sample Information:
- File Name: haytararutyun.doc
- SHA-256 Hash: fa406c532ea3d7cae05411df0ed5a541630a07f26a247a22d907f424397c72ce
- Delivery Method: The malware is delivered through a Word document (haytararutyun.doc) that contains a malicious VBA Macro code.
VBA Macro Functionality: The VBA Macro code within the document performs the following actions:
- Downloads a file (ekeng-mta.exe) from a remote server (hxxps[://]karabakhtelekom[.]com/api/ekeng-mta[.]exe).
- Executes the downloaded file using the command cmd /c C:\users\Public\Downloads\ekeng-mta.exe.
- Copies a file (Server.bat) to a different location.
- Runs Server.bat with the vbHide attribute, potentially executing malicious code.
- Contacts a remote Command and Control (C2) server (139.84.231.199) using PowerShell.
- Utilizes encoded commands to bypass protection systems.
- Downloads additional files, including mta.ps1 and mta.dll, which are associated with the UrbanBishop payload.
UrbanBishop Payload:
- The malware includes a payload known as UrbanBishop, which is used for shellcode execution.
- UrbanBishop is a potentially open-source tool for Remote Access and Trojan (RAT) functionality.
Indicators of Compromise (IOCs)
Malicious Files:
haytararutyun.doc
- SHA-256 Hash:fa406c532ea3d7cae05411df0ed5a541630a07f26a247a22d907f424397c72ce
ekeng-mta.exe
- SHA-256 Hash: 3a679cb98f88d7d6bd84dcfe9717238c08c05942055bdb798103224e7f2f2ca9
mta.ps1
- SHA-256 Hash: 60416198c9b2105c9204638fd00e154e2f5c32ba45f5a8ae2671bae565c062e9
mta.dll
- SHA-256 Hash: be4bf8ae8ad02363ec3a3a0a932a439eab48c9427375038d121421806be32051
C2 Server:
- IP Address: 139.84.231.199
- Location: Africa (likely a VPS server)
Domain:
- Domain Name: karabakhtelekom.com
- Registrar: eNom, LLC
- Creation Date: 2023-09-04
- Updated Date: 2023-09-11
- Currently on clientHold status
Mitigation Strategies
Monitor Outgoing Connections:
- Implement monitoring of outgoing connections with PowerShell user-agent strings.
Network Layer Restriction:
- Restrict access to the IP address 139.84.231.199 at the network layer.
Process Monitoring:
- Continuously monitor running child processes, especially mta.dll.
Hash Value Checking:
Check the hash values of critical files:
- mta.ps1 (SHA1: 72EF210030F0F470433A6AACC66DFBE4CBFDAD5C)
- mta.dll (SHA1: F5145EC20482B39B727E980169DA92E36D4C5A6E)
Email Gateway Protection:
- Block emails originating from the domain aacpress.net to prevent further attacks.
Conclusion
This threat analysis report outlines a malware campaign targeting Armenians using a malicious MS Word document with embedded VBA Macro code. The malware’s functionalities include downloading and executing malicious payloads, contacting a remote C2 server, and utilizing the UrbanBishop payload. Mitigation strategies are provided to safeguard against this threat, emphasizing the importance of proactive monitoring and network security measures. Security teams are encouraged to stay vigilant and update their defenses accordingly.