Government organizations in Central Asia were subjected to a sophisticated espionage campaign that leveraged a previously undocumented type of malware that was dubbed DownEx.
Bitdefender, in report shared with The Hacker News, said the activity remains active, with evidence likely to point to the involvement of a threat actor based in Russia.
The Romanian cybersecurity firm said it first detected the malware in a highly targeted attack aimed at a foreign government agency in Kazakhstan in late 2022. Subsequently, another attack was observed in Afghanistan.
The use of diplomatic-themed lure documents and the campaign’s focus on data exfiltration suggests the involvement of a state-sponsored group, although the exact identity of the hacking outfit has yet to be determined at this stage.
The initial intrusion vector for the campaign was allegedly a spear-phishing email carrying a booby-trapped payload, which was an executable loader masquerading as a Microsoft Word file.
Opening the attachment leads to the extraction of two files, including a decoy document which is displayed to the victim while a malicious HTML application (.HTA) with embedded VBScript code is running in the background.
HTA files, for their part, are designed to establish contact with a remote command-and-control (C2) server to retrieve the next stage’s payload. While the exact nature of the malware is unknown, it is said to be a backdoor for building persistence.
The attack is also notable for using a variety of specialized tools to perform post-exploit activity. This includes –
- Two C/C++ based binaries (wnet.exe and utility.exe) to enumerate all resources on the network,
- Python script (help.py) to create an infinite communication loop with the C2 server and receive instructions to steal files with certain extensions, delete files created by other malware, and capture screenshots, and
- C++ based malware (diagsvc.exe aka DownEx) primarily designed to extract files to C2 servers
Two other variants of DownEx have also been grounded, the first of which runs an intermediate VBScript to harvest and deliver files in the form of ZIP archives.
The other version, downloaded via a VBE script (slmgr.vbe) from a remote server, avoids C++ for VBScript, but retains the same functionality as before.
“This is a fileless attack – the DownEx scripts run in memory and never touch the disk,” says Bitdefender. “This attack highlights the sophistication of modern cyber attacks. Cybercriminals are finding new methods to make their attacks more reliable.”