GZipDe was uncovered by security researchers at AlienVault after a user from Afghanistan uploaded an infected Word document to VirusTotal. This malware is believed to have been used in a highly-targeted attack on an Afghanistan embassy ahead of the Shanghai Cooperation Organization Summit – a meeting specifically referenced in the document. Received through email, the Word document tricks users into enabling macros, allowing a Visual Basic script to run and execute hidden PowerShell code. An HTTP request is then sent which downloads a malicious .exe file from a server that delivers a Metasploit payload and creates a backdoor on the affected machine. Sensitive information can then be sent back to a command-and-control (C2) server controlled by the threat actor. GZipDe evades detection by using Reflective Dynamic-Link-Library (DLL) Injection to hide its tracks and a custom encryption method utilizing .NET code.
Reporting and Technical Details
- June 2018: GZipDe: An Encrypted Downloader Serving Metasploit. (AlienVault)