DownEx Malware

According to infosec researchers, government organizations in Central Asia have become the focus of a targeted and complex espionage campaign. This operation uses a new type of malware called DownEx, which was previously unknown to the experts. The attacks have so far not been attributed to a specific APT (Advanced Persistent Threat) or cybercriminal group, but evidence points to the involvement of actors based in Russia.

The first reported incident involving the DownEx malware occurred in Kazakhstan, where a highly targeted attack was launched against foreign government institutions in late 2022. Another attack was later observed in Afghanistan. The use of a document with a diplomatic theme to lure victims and the attackers' focus on collecting sensitive data strongly suggest the involvement of a state-sponsored group. However, the identity of the hacking outfit has not yet been confirmed. The operation is still ongoing, and further attacks may occur, warn the researchers at Bitdefender, who released a report on the threat and its associated attack activity.

The DownEx Malware Attack Chain Begins with Lure Messages

It is suspected that the initial means of intrusion for the espionage campaign involved a spear-phishing email carrying a threatening payload. The said payload is a loader executable disguised as a Microsoft Word document. Once the attachment is opened, two files are extracted, one of which is a fake document that is shown to the victim as a decoy. Simultaneously, a malicious HTML application (.HTA) file containing VBScript code runs in the background.

The HTA file is designed to establish contact with a remote Command-and-Control (C2, C&C) server to obtain the next-stage payload. The exact nature of this malware tool was not disclosed yet, but it is believed to be a backdoor tasked with establishing persistence on the breached system. This suggests that the campaign is being carried out by a highly organized and sophisticated threat actor, most likely a state-sponsored group, with a focus on data exfiltration from foreign government institutions.

Additional Threatening Tools Deployed Alongside the DownEx Malware

Two different versions of the DownEx Malware have been observed. The first variant uses an intermediate VBScript to collect and send files to a remote server in the form of a ZIP archive. The second variant is downloaded via a VBE script called slmgr.vibe and uses VBScript instead of C++. Despite the different programming languages, the second version retains the same malicious capabilities as the first one.

The second DownEx Malware variant employs a fileless attack technique. This means that the DownEx script is executed in memory only and never touches the disk of the infected device. This technique highlights the growing sophistication of modern cyberattacks and shows that cybercriminals are developing new methods to make their attacks more effective and harder to detect.