Metasploit is a powerful exploitation framework that contains various payloads which is used for penetration purpose to identify the vulnerabilities. but the cyber criminal taking advantage of its futures and ultimately using it for the various malicious purposes.
The researcher believes that it is most likely to be targeted attack from cybercrime group and its carry out the multistage of infection to compromise the infected victims.
A user from Afghanistan uploaded the malicious document in Virultotal that contains the macro malware embedded with Weaponized office document.
Also, it contains .NET downloader that evades the Anti-virus detection using a custom encryption method for obfuscation process.
GZipDe Malware Infection with Metasploit Backdoor
Initially,once victims open the malicious document then it executes the Visual Basic script and initiates the new task of launching the hidden PowerShell console.
later it leveraging the HTTP request to resolving the following URL and download the malicious .exe file.
GZipDe Malware contains an encrypted payload which consists of a Base64 string also it compressed as a ZIP that is custom-encrypted with a symmetric key algorithm also researchers found original reverse-tcp payload publicly available on GitHub.
Once the malware decompressed and executed then it allocates a new memory page with executing, read and write privileges.
According to alienvault, The script uses WaitForSingleObject C# class, meaning that the program accesses a mutex object. A special handler controls the access of the process to system resources. This prevents multiple instances of the same malware to run at a time, unnecessarily increasing resource usage and producing more network noise.
The payload contains shellcode that contacts the command & control server to obtain the Metasploit payload.
Later the Command & control server distribute the Metasploit payload which contains the shellcode the bypass the Anti-virus detection and create a backdoor using Meterpreter payload.
Once it successfully opens the backdoor, it starts to gather information from the system and other sensitive information that will be shared into attacker via C&C server.