Security researchers at AlienVault recently stumbled upon a new malicious document on VirusTotal which not only obfuscated process memory using a custom encryption method but also communicated with a C&C server to install a Metasploit backdoor on targeted devices.
The malicious document, which contained information about a Shanghai Cooperation Organisation summit, was discovered by security researchers at AlienVault after it was uploaded to VirusTotal by a user in Afghanistan.
According to the researchers, the malicious file contained macro malware embedded in an MS Office Word document (.doc) as well as a .NET downloader which used a custom encryption method to obfuscate process memory and to evade antivirus detection. Once the Word document is opened by an unsuspecting user, the macro malware executes a Visual Basic script stored as a hexadecimal stream and also executes a new task in a hidden Powershell console.
Once this is done, the malware then allocates a new memory page with execute, read and write privileges, decrypts the payload and executes it by launching a new thread. A closer inspection of the payload revealed that it was a Metasploit backdoor featuring shellcode to bypass system detection and a Meterpreter payload which could "gather information from the system and contact the command and control server to receive further commands".
"This shellcode loads the entire DLL into memory, so it's able to operate while writing no information into the disk. This operation is called Reflective DLL injection. From this point, the attacker can transmit any other payload in order to acquire elevated privileges and move within the local network," the researchers added.
Security researcher Chris Doman told Bleeping Computer that even though they saw only one sample of the malware, the fact that the decoy document was in English and was uploaded to VirusTotal from Afghanistan suggested that "it may have been targeting someone in an embassy or similar there".
This isn't the first time that hackers have employed the Metasploit backdoor to install malware in targeted devices. Back in March, ESET researchers discovered that a prominent hacker group named Turla used Metasploit as a first stage backdoor to drop the group's proprietary Mosquito backdoor on targeted devices owned by many Eastern European embassies. Metasploit not only allowed the attackers to control compromised machines but also to drop other backdoors in a relatively short duration.
In May, 401TRG, the research arm of security firm ProtectWise, also discovered that hacker groups associated with Chinese state intelligence used publicly available tools such as Metasploit and Cobalt Strike to inject their own malware on targets, primarily in the United States, Japan, South Korea and China.