Our threat hunters have been busy searching for abuse of the recently-released zero-day remote code execution bug in Microsoft Office (
CVE-2022-30190). As part of their investigations, they found evidence of a threat actor hosting malicious payloads on what appears to be an
Australian VOIP telecommunications provider with a presence in the
South Pacific nation of Palau.
Further analysis indicated that targets in
Palau were sent malicious documents that, when opened, exploited this vulnerability, causing victim computers to contact the provider’s website, download and execute the malware, and subsequently become infected.
This threat was a complex multi-stage operation utilizing
LOLBAS (Living off the Land Binaries And Scripts), which allowed the attacker to initialize the attack using the
CVE-2022-30190 vulnerability within the
Microsoft Support Diagnostic Tool. This vulnerability enables threat actors to run malicious code without the user downloading an executable to their machine which might be detected by endpoint detection.
Multiple stages of this malware were signed with a legitimate company certificate to add additional legitimacy and minimize the chance of detection.
The compromised website, as pictured in the screenshot below, was used to host
robots.txt which is an executable which was disguised as “robots.txt”. We believe the name was used to conceal itself from detection if found in network logs. Using the Diagnostics Troubleshooting Wizard (
msdt.exe), this file “robots.txt” was downloaded and saved as the file (
Sihost.exe) and then executed.
Second Stage, Sihost.exe
When the renamed “robots.txt” – “Sihost.exe” – was executed by msdt.exe it downloaded the second stage of the attack which was a loader with the hash
b63fbf80351b3480c62a6a5158334ec8e91fecd057f6c19e4b4dd3febaa9d447. This executable was then used to download and decrypt the third stage of the attack, an encrypted file stored as ‘
favicon.svg’ on the same web server.
Third stage, favicon.svg
After this file has been decrypted, it is used to download the fourth stage of the attack from
palau.voipstelecom.com[.]au. These files are named
Sevntx.lnk, which are then executed on the victims’ machine.
Fourth Stage, Sevntx64.exe and Sevntx64.lnk
When the file is executed, it loads a
66kb shellcode from the
AsyncRat malware family;
Sevntx64.exe is signed with the same compromised certificate as seen previously in “robots.txt”.
The screenshot below shows the executable loading the shellcode.
Final Stage, AsyncRat
When the executable is loaded, the machine has been fully compromised with AsyncRat; the trojan is configured to communicate with the server
palau[.]voipstelecom[.]com[.]au on port
Screenshot below with AsyncRat configuration:
We highly recommend Avast Software to protect against the latest threats, and Microsoft patches to protect your Windows systems from the latest
|shellcode from Sevntx64.exe (66814 bytes)
We managed to find an earlier version of this malware.
|Grievance Against Lawyers, Judge or Justice.doc.exe (signed)
|Grievance Against Lawyers, Judge or Justice (1).zip\Grievance Against Lawyers, Judge or Justice.doc.exe
|Palau, previous victim
Forensic information from the lnk file:
|Birth droid MAC address
|Birth droid file ID
|Birth droid volume ID
|Drive serial number
|Droid file ID
|Droid volume ID
|Known folder ID
|EnableTargetMetadata, HasLinkInfo, HasRelativePath, HasTargetIDList, HasWorkingDir, IsUnicodeLocal
|Target file size