CASHY200

CASHY200 is the name given by the researchers to a PowerShell-based backdoor threat. This particular malware was detected due to its Command-and-Control (C2, C&C) infrastructure using a domain - 'windows64x.com,' that was observed to be part of an attack campaign against Kuwait organizations from the transportation and shipping industries previously. The targets' profile also appears to be largely the same, but this time the victims were Kuwait government organizations. Although the overlaps appear to be too specific to be accidental, it is not possible to claim with 100% assurance that the same threat actors are also the hackers behind CASHY200.

The infection vector used to deliver CASHY200 is mostly likely weaponized Word documents propagated through the dissemination of phishing emails. The threatening documents used several different names in Arabic, while one was delivered as 'Update list soft-Ad.docm.'

When deployed on the targeted computer, CASHY200 initiates communication with its C2 servers through DNS tunneling. More specifically, the threat issues DNS A queries to the attacker's server. Incoming traffic is parsed withing DNS answers for applicable commands while the subsequent results are delivered back to the servers again through DNS queries. CASHY200 has been observed to use randomly generated modifiers stored in the Registry at HKCU\Software\Microsoft\Cashe\index. 

Later CASHY200 versions are able to recognize two separate commands issued by the C2 servers. The first one sees the threat run the 'hostname' command and then exfiltrate the outcome. The other possible command tells CASHY200 to run commands obtained from subsequent DNS queries, with the results once more being exfiltrated to the C2 through DNS tunneling.