Hackers Exploiting Amazon Services To Deliver Weaponized MSC Files

   August 23, 2024  Posted in CyberSecurityNews


Hackers often target and exploit Amazon services due to their vast offerings, including massive computer power, storage, and global reach.

These elements of Amazon’s services are lucrative to hackers, making them ideal for launching attacks, hosting malicious content, and hiding their activities.

EHA

Cybersecurity analysts at ASEC recently identified that hackers have been exploiting Amazon Services to deliver weaponized MSC files.

Technical Analysis

The MSC (Management Console) malware exploits XML file structures, executed via Microsoft Management Console (MMC). 

Internal code of MSC file (Source – ASEC)

Recent variants, disclosed by Elastic Security Labs on June 22, insert payloads within the “” section of MSC files. The malware exploits a vulnerability in apds.dll, targeting AhnLab TIP users. 

One analyzed sample, named “Attempts to strengthen Japan’s defense capabilities and revive its defense industry (for review).msc”, downloads malicious files including “msedge.dll” from AWS S3 to “C:UsersPublic”. 

Communication history (Source – ASEC)

It executes a legitimate PDF as disguise while “Edge.exe” loads “msedge.dll”, which decrypts “Logs.txt” to create shellcode.

(Left) MSC final payload (Right) Decoy PDF document (Source – ASEC)

This shellcode is injected into a spawned dllhost.exe process, which then connects to “152.42.226.161:88/ins.tg” for additional payload retrieval. 

The final stage attempts communication with “static.sk-inc.online:8443/etc.clientlibs/microsoft/clientlibs/clientlib-mwf-new/resources/fonts” for further downloads, though this server was inactive during analysis. 

This sophisticated attack chain demonstrates the evolving tactics of MSC-based malware campaigns.

In this case, files are grabbed from AWS S3 to “C:UsersPublic”. Next, it jumps on the “oncesvc.exe” file which is actually a .NET component “dfsvc.exe.”

It retrieves an executable from “oncesvc.exe.config” and runs it. The JSON file appears to be a DLL in disguise that employs an AES decryption algorithm for extracting URL “hxxps://speedshare.oss-cn-hongkong.aliyuncs.com/2472dca8c48ab987e632e66caabf86502bf3.xml.”

Code that creates and executes a new thread (Source – ASEC)

The shellcode is downloaded from this URL and executed in another thread. This threat tries to talk with Amazon Cloud, so if successful, decrypts received data and executes it in another thread.

Notably, there was no trace of “readme.docx,” which is possibly a bait document.

Malware like this is believed to spread via phishing emails, consequently it highlighting the need for caution when dealing with such emails.

Are You From SOC/DFIR Teams? - Try Advanced Malware and Phishing Analysis With ANY.RUN - 14 day free trial

Indicators of Compromise

  • 0c93507db212c506fa82ffaadff7e034
  • 22a4b86bf351bf855b9205bd3255ad5e
  • 249c2d77aa53c36b619bdfbf02a817e5
  • 4b643cf1bb43941073fe88ad410da96e
  • 4ee936e21e154ae7e64e95b4537b0c7c



Source link