Malwarebytes discovered a multi-stage PowerShell attack on November 10 that used a document lure imitating the Kazakh Ministry of Health Care. On November 8, a threat actor using the handle DangerSklif (perhaps in reference to Moscow's emergency hospital) set up a GitHub account and posted the first part of the attack.
PowerShell is a sophisticated scripting language that gives you full access to a computer's inner workings, including Windows APIs. PowerShell also has the advantage of being an integral part of Windows that is entirely trusted, thus security software normally ignores the commands it executes. The ability to execute PowerShell remotely via WinRM makes it an even more tempting tool. This functionality allows attackers to bypass Windows Firewall, run PowerShell scripts remotely, or simply drop into an interactive PowerShell session, giving them complete administrative control over a system.
When PowerShell is used in a fileless malware attack, the line between infecting a single machine and compromising the entire enterprise is entirely blurred. The route to total compromise is paved the instant an attacker obtains a user name and password for a single system.
The attack began with the distribution of the RAR archive “Увeдомление.rar” ("Notice.rar"). The archive file contains an lnk file with the same name that pretends to be a PDF document from Kazakhstan's "Ministry of Health Care." When the lnk file is opened, a PDF file is shown to confuse victims while numerous stages of the assault are being carried out in the background. The fake document is an update to a Covid 19 policy released by the Republic of Kazakhstan's Chef State Sanitary.
The attack began with the execution of the lnk file, which invokes PowerShell and uses an autorun registry key to accomplish multiple techniques such as privilege escalation and persistency. The entire attack was stored in a single Github repository called GoogleUpdate. On November 8th, a user named DangerSklif created this repository. On November 1st, the DangerSklif user was created on GitHub.
It used cmd.exe to call PowerShell to download and execute the first stage of the attack from the Github account (lib7.ps1) after de-obfuscating the embedded lnk file. The fake PDF file is downloaded from the same Github account and saved in the Downloads directory by lib7.ps1. The following step is to open a decoy PDF to fool the user while the remainder of the procedure is carried out in the background, including obtaining the OS version and downloading the next stage based on the OS version.
