Matryoshka malware-loaded document aimed at NATO
Mon 30 Jan 2017
A sophisticated cyberattack aimed at NATO member countries took place over the Christmas and New Year holidays. This attack, involving several different layers of embedded objects released in succession, has been compared to a ‘Matryoshka’, the Russian nesting doll, referring to the many-layered complexity of the attack.
Researchers from Cisco observed malicious activity generated through the downloaded document from December 29 through January 12. They believe that the Microsoft Word document was aimed at NATO member countries because of the document name, “Statement by the NATO Secretary General following a meeting of the NATO-Russia Council.”
The document is in rich text format (RTF), with content copied directly from the NATO website. The text itself is apparently benign, but a succession of objects embedded within the text are used to perform network reconnaissance and communicate with a remote command and control (C&C) server.
The initial embedded object is an OLE entity which contains an Adobe Flash object. A second Adobe Flash object in the form of a binary blob is extracted by the first, and contains an encoded algorithm based on XOR and zlib compression.
The ActionScript then begins to communicate with the C&C server, first performing an HTTP request, which allows the attacker to explore the infected machine, using information including the version of Adobe Flash and operating system to decide whether to exploit that machine further. As the Cisco blog put it, “If the infected system looks like a sandbox or virtual machine, the operator could ignore the request and the ActionScript is finished.”
Should the attacker accept the request, a second HTTP request is made. If this request is accepted, the function Exploit Loaded (expLoaded) is executed. Finally, a third request is sent and if that too is accepted at the C&C server the function PayloadLoad is called. At that point, the malicious Adobe Flash file is executed.
Once the hackers realized that security analysts were investigating the document, the payload was swapped out with junk data in large amounts, to create resource issues for simple security devices.
While there is no evidence that NATO members actually fell prey to the attack, the researchers at Cisco note the importance of the fact that when the hackers realized that security researchers were on to them, they rigged the infrastructure of the attack to create resource issues and hinder investigation. “These,” they say, “are the characteristics of reasonably advanced attackers who have designed an efficient minimalist framework that was able to adapt purposes on the fly.”