With a fake website of the Baden-Württemberg state government, previously unknown actors are spreading a Trojan horse. They use interest in news about the current situation in Ukraine as bait.
A still active fake website distributes malware under the guise of the state government of Baden-Württemberg. As the security company Malwarebytes reports in its blog, the perpetrators use the interest in reports on the current situation in Ukraine and political decisions in this context. They have secured a DE domain that previously belonged to the state of Baden-Württemberg and whose registration had expired.
Under the adress
collaboration-bw[.]en
the state government operated a collaboration platform for innovation initiatives. With the reputable web address, the perpetrators created a website in the look of Baden-Württemberg’s “The Länd” campaign. While the start page only shows an unadorned construction site notice, a page in “The Länd” look that cannot be accessed directly from there purportedly contains information on the Ukraine crisis.
On this page, a blue download button invites you to download a current document with tips for everyday work. If you download and unzip the ZIP file with the name “2022-Q2-Threat situation-Ukraine”, you will find a CHM file with the same name in it. CHM (Compiled HTML) is an older Windows Help system file format that can contain multiple HTML files. When this particular CHM file is opened, a fake error message appears in German while running Powershell commands in the background.
malware in action
The first powershell script retrieves and runs another script from the fake website. It installs a Trojan horse in the newly created “SecuriyHealthService” directory in the user directory. It consists of a batch file called “MonitorHealth.cmd” that just calls a 12 kB PowerShell script called “Status.txt”. The call of the CMD file is repeated daily at a fixed time by an entry in the Windows task scheduler.
The Powershell script Status.txt is a RAT (Remote Access Trojan/Tool) malware. It therefore enables remote access to infected computers. In this case, it collects data on the computer and, in order not to arouse suspicion, uploads it in JSON format to a server with another DE domain. He can also download additional files from the network and start scripts. To bypass Windows protections, the script includes an AES-encrypted function called “bypass” that it decrypts on-the-fly.
▶The best antivirus tools in the test
So far, it is unclear who is behind this malware campaign and what exactly it is intended to achieve. It seems obvious to suspect Russian actors, but without concrete information and connections that remains pure speculation. It could also be perpetrators of any other provenance who use a current topic as bait.
Detection by antivirus programs
So far, very few antivirus programs have recognized the malicious CHM file – the standard Windows Defender is not one of them. In the case of Status.txt, the actual malware, it looks even more meager. Even Malwarebytes’ own antivirus software does not seem to recognize either file. Scan results are from AV-Test and VirusTotal.
|
antivirus |
Malware name (CHM file) |
Malware Name (Status.txt) |
|---|---|---|
|
Avast |
Other:Malware-gen [Trj] | |
|
AVG |
Other:Malware-gen [Trj] | |
|
Bitdefender |
Exploit.CHM-Downloader.Gen | |
|
Emsisoft |
Exploit.CHM-Downloader.Gen (B) | |
|
eScan |
Exploit.CHM-Downloader.Gen | |
|
Eset Nod32 |
PowerShell/TrojanDownloader.Agent.FIR trojan |
PowerShell/ReverseShell.R |
|
GData |
Exploit.CHM-Downloader.Gen | |
|
Kaspersky |
HEUR:Trojan-Downloader.Script.Agent.gen | |
|
rising |
Trojan.MouseJack/HTML!1.BE26 | |
|
Symantec |
downloaders | |
|
Trellix (FireEye) |
Exploit.CHM-Downloader.Gen | |
|
TrendMicro |
HEUR_CHM.E | |
|
Zone Alert |
UDS:DangerousObject.Multi.Generic |
