[BreachExchange] Drake Lyrics Used as Calling Card in Malware Attack

Fri Jan 10 10:10:32 EST 2020

https://threatpost.com/drake-lyrics-used-as-calling-card-in-malware-attack/151665/

A hacker who apparently likes the musician Drake leaves lyrics from
the artist’s song In My Feelings behind in an attack that delivers
malware Lokibot or Azorult.

A hacker with the handle “Master X” leverages a PowerShell script that
contains a reference to singer-songwriter Drake lyric’s “Kiki Do You
Love Me” and ultimately delivers a malicious payload to its victims.
The campaign is email based; with missives containing a malicious
PowerPoint attachment that ultimately downloads either the Lokibot
info stealer or Azorult remote access trojan.

In a technical post by AppRiver published Tuesday, researchers shared
a sample of the malicious emails dated Jan. 6, 2020. The subject line
appears to indicate a Business Email Compromise campaign with a call
to action in the subject line: “TT Remittance Advice”. Two PowerPoint
attachments contain the file names “INVOO13433361.pss” and “Blank
slip.pss”.

“Upon opening either of the PowerPoint attachments, it automatically
runs a heavily obfuscated visual basic script,” wrote David Pickett,
security analyst with AppRiver in the blog post.

Pickett said the script uses Window’s native Microsoft HTML
application host called “mshta.exe” to reach out to a Bitly shortened
link as a way to circumvent browser defense controls. Mshta.exe is
typically used to execute HTML applications and can assist scripts to
run in a Windows system.

The first order of business for the attacker is to use mshta.exe to
create a command line to task kill Excel and Word, if running. Next,
mshta.exe is used to reach out to plain-text sharing site Pastebin.com
to retrieve an encoded script.

“[It] creates a scheduled task for mshta to reach out to a Pastebin
url every 60 minutes. This is where an encoded script is located and
the url it retrieves dictates whether the recipient ultimately
receives the Lokibot or Azorult payload in our samples,” wrote the
researcher.

“Kiki Do You Love Me”

Once the hacker, Master X, is successful in pulling down the Pastebin
code it is translated into a PowerShell script that contains a
reference to Drake’s “Kiki Do You Love Me” lyrics from his hit song In
My Feelings. Notable is the fact the hacker spells Kiki differently.
For example the hacker spells it “Keke” in the PowerShell script; as
in “Keke Do You Love Me”.

“This attacker ‘Master X’, retrieved from the metadata inside the
PowerPoint, had a sense of humor when he was creating the
invoke-expression cmdlet. ‘Master X’ also obfuscated the
‘DownloadString’ inside this PowerShell script below in another
attempt to avoid defense solutions monitoring PowerShell activity,”
according to the researcher.

In this final stage the PowerShell script reaches out to Paste.ee,
another plain text sharing site, and downloads the code for a
malicious executable named Calc.exe. “We can see this retrieved
malicious executable file header when loading up the Paste.ee site,”
researchers said.

It’s unclear how successful this campaign has been.

Criminal hackers with a sense of humor have surfaced in the past.
Authors behind the devastating Mirai botnet snuck a number of quirky
jokes in their code. One line of Mirai code included the line “// BUT
BRAH WHAT IF METHOD IS THE DEFAULT VALUE WONT IT SEGFAULT CAUSE READ
ONLY STRING?”. Duqu malware authors included the line “Copyright (c)
2003 Showtime Inc. All rights reserved. DexterRegularDexter.”