A hacker with the handle “Master X” leverages a PowerShell script that contains a reference to singer-songwriter Drake’s “Kiki Do You Love Me” lyrics and ultimately delivers a malicious payload to its victims. The campaign is email based; with missives containing a malicious PowerPoint attachment that ultimately download either the Lokibot info stealer or Azorult remote access trojan.
In a technical post by AppRiver published Tuesday, researchers shared a sample of the malicious emails dated Jan. 6, 2020. The subject line appears to indicate a Business Email Compromise campaign with a call to action in the subject line: “TT Remittance Advice”. Two PowerPoint attachments contain the file names “INVOO13433361.pss” and “Blank slip.pss”.
“Upon opening either of the PowerPoint attachments, it automatically runs a heavily obfuscated visual basic script,” wrote David Pickett, security analyst with AppRiver in the blog post.
Pickett said the script uses Window’s native Microsoft HTML application host called “mshta.exe” to reach out to a Bitly shortened link as a way to circumvent browser defense controls. Mshta.exe is typically used to execute HTML applications and can assist scripts to run in a Windows system.
The first order of business for the attacker is to use mshta.exe to create a command line to task kill Excel and Word, if running. Next, mshta.exe is used to reach out to plain-text sharing site Pastebin.com to retrieve an encoded script.
“[It] creates a scheduled task for mshta to reach out to a Pastebin url every 60 minutes. This is where an encoded script is located and the url it retrieves dictates whether the recipient ultimately receives the Lokibot or Azorult payload in our samples,” wrote the researcher.
“Kiki Do You Love Me”
Once the hacker, Master X, is successful in pulling down the Pastebin code it is translated into a PowerShell script that contains a reference to Drake’s “Kiki Do You Love Me” lyrics from his hit song In My Feelings. Notable is the fact the hacker spells Kiki incorrectly. For example the hacker spells it “Keke” in the PowerShell script; as in “Keke Do You Love Me”.
“This attacker ‘Master X’, retrieved from the metadata inside the PowerPoint, had a sense of humor when he was creating the invoke-expression cmdlet. ‘Master X’ also obfuscated the ‘DownloadString’ inside this PowerShell script below in another attempt to avoid defense solutions monitoring PowerShell activity,” according to the researcher.
In this final stage PowerShell script reaches out to Paste.ee, another plain text sharing site, and downloads the code for a malicious executable named Calc.exe. “We can see this retrieved malicious executable file header when loading up the Paste.ee site,” researchers said.
It’s unclear how successful this campaign has been. Criminal hackers with a sense of humor have surfaced in the past. Authors behind the devastating Mirai botnet snuck a number of quirky jokes in their code. One line of Mirai code included the line “// BUT BRAH WHAT IF METHOD IS THE DEFAULT VALUE WONT IT SEGFAULT CAUSE READ ONLY STRING?”. Duqu malware authors included the line “Copyright (c) 2003 Showtime Inc. All rights reserved. DexterRegularDexter.”
(Image Source: Instagram user champagnepapi)