DownEx Espionage Dissection

Researchers have observed a malware called DownEx actively targeting government institutions in Central Asia for cyberespionage. Initially detected in 2022 in a highly targeted attack aimed at exfiltrating data from foreign government institutions in Kazakhstan.

The domain and IP addresses involved do not appear in any previously documented incidents, and the malware does not share any code similarities with previously known malicious software

Based on the specific targets of the attacks, the document metadata impersonating a real diplomat, and the primary focus being on data exfiltration, researchers believe that a state-sponsored group is responsible for these incidents. While the attacks have not been attributed to any specific threat actor, it is likely that a Russian group is responsible for the attacks.

The initial access method used by the group is phishing emails. The attack used a simple technique of using an icon file associated with .docx files to masquerade an executable file as a Microsoft Word document.

When the victim opens the attachment two files are downloaded, a lure document that’s displayed to the victim and a malicious HTML application with the embedded code that runs in the background. The payload is designed to establish communication with the command-and-control servers.

Upon execution, DownEx moves laterally across local and network drives to extract files from Word, Excel, and PowerPoint documents, images and videos, compressed files, and PDFs. It also looks for encryption keys and QuickBooks log files.

DownEx exfiltrates data using a password-protected zip archive, limiting the size of each archive to 30 MB. In some cases, multiple archives were exfiltrated, the researchers observed.

To prevent attacks like this, it is advised organizations to focus on implementing a combination of cybersecurity technologies to harden their security posture. Technologies such as advanced malware detection with machine learning that can identify malicious scripts, email filtering, sandbox for the detonation of suspicious files, network protection that can block C2 connections, and detection and response capabilities that extend beyond the endpoints to networks

Indicators of Compromise

• 1e46ef362b39663ce8d1e14c49899f0e
• bb7cf346c7db1c518b1a63c83e30c602
• a45106470f946ea6798f7d42878cff51
• 3ac42f25df0b600d6fc9eac73f011261
• 14a8aad94b915831fc1d3a8e7e00a5df
• 457eca2f6d11dd04ccce7308c1c327b7
• d310a9f28893857a0dc1f7c9b624d353
• d20e4fffbac3f46340b61ab8f7d578b1
• 5602da1f5b034c9d2d6105cdc471852b
• 89f15568bc19cc38caa8fd7efca977af
• ae5d4b9c1038f6840b563c868692f2aa
• c273cdfcfd808efa49ec0ed4f1c976e0
• d11fcd39a30a23176337847e54d7268c
• 70e4305af8b00d04d95fba1f9ade222d
• 1492b0079b04eb850279114b4361f10c
• net-certificate[.]services
• 139.99.126[.]38
• 84.32.188[.]123
• 206.166.251[.]216