A series of cyber attacks which are labelled as the “Frankenstein” campaign have been identified by Cisco Talos. Frankenstein, due to the open-source moving parts utilized by these sophisticated hackers. The Talos team believes that the hackers carried out the Frankenstein campaign between January and April 2019. The hackers use malicious documents to install malware.
The malware consists of:
- an article that detects whether or not it exists within a virtual machine,
- a GitHub project that uses MSbuild to run a PowerShell command,
- a piece of a GitHub project called “Fruityc2” to build a stager and lastly
- a GitHub project called PowerShell Empire for their agents.
Frankenstein makes use of anti-detection techniques. It runs two scripts, the first checks whether the applications listen below are running, if they are then the malware will stay dormant.
- VMWare
- Vbox
- Process Explorer
- Process Hacker
- ProcMon
- Visual Basic
- Fiddler
- WireShark
After the above mentioned Applications scanned for are NOT running the second script runs to search for any of the following tasks:
- VMWare
- Vbox
- VxStream
- AutoIT
- VMtools
- TCPView
- WireShark
- Process Explorer
- Visual Basic
- Fiddler
The next anti-detection technique was that the malware calls Windows Management Instrumentation (WMI) to count how many cores are allocated to the system. If less than 2, the file the user tried to open will bleat and return “The File is not compatible with your Microsoft Office Version”. This technique avoids virtual machines.
In conclusion it can be said very sophisticated / highly trained operators are increasingly making use of unsophisticated tools. To protect yourself from this type of attack make use of Advanced Malware Protection AMP, or Cisco Cloud Web Security CWS, or Web Security Appliance WSA, which prevents you from accessing websites which attack you similarly to the Frankenstein campaign.
The original article was written by David Maynor, Danny Adamitis and Kendall McKay. Please find the full article HERE.