This campaign is targeting users in Italy with spear phishing email containing malicious attachments.
Figure 1: Emails with the malicious XLS attachment
The image above show one of the sample has attached in multiple email that has been sent to email address with Italy ccTLD.
The attached malicious XLS will first download an image from image sharing website using the powershell command which is shown in the image below.
Figure 2: embedded powershell code.
The downloaded image will be then being process by the powershell code in the XLS document to extract a secondary payload. The second stage payload is calculated based on a series of image pixels and color values.
Figure 3 : Python decoder script
The code snippet above is the decoder python script to decode the PNG into powershell script.
The image below highlights the secondary PowerShell script that is extracted from the downloaded PNG file.
Figure 4: Decode powershell code from PNG
After the calculation of the series of color pixel, it will then being translate to another powershell code. It will ultimately check if the user is from Italy and download a payload from the predefined C2 server.
Figure 5: Original image (left) and malicious image(right)
The image on the left is the original image that was found from a Google Image search and the image on the right is the image that was altered to contain the malicious powershell script.
Figure 6: Final powershell code
The code snippet above is the final powershell that will download the final payload. The first line of the code shown is to check the Windows GeoID home location setting for the current user account to confirm it is Italy. Unfortunately at the time of analysis the final URL was down. Thus the actual payload behavior is unknown.