Inception uses a complex two stage spear phishing process to deliver POWERSHOWER. Initially, a reconnaissance email with a Microsoft Word attachment is sent to the user. This attachment contains a malicious Microsoft Word Remote Template. When opened, the attachment contacts a command and control (C2) server which sends a secondary email containing a malicious RTF document with exploits for two Word vulnerabilities. These exploits will then execute a VBScript script that downloads and installs POWERSHOWER.
Remote templates are a feature of Microsoft Word which allow a document to load a template to be used in a document – this template can be externally hosted, either on a file share, or on the internet.
Once installed, POWERSHOWER will create registry entries to maintain persistence and ensure future PowerShell instances appear off-screen by default, before terminating Word processes and removing all files and registry entries associated with its installation. It will then send system information to the C2 server and await further instructions.
Microsoft Windows – All versions
Indicators of Compromise
Remote Template Documents where we have the matching payload
Remote templates analyzed.
Other related templates and exploit documents from 2018
51.255.139[.]194 Remote template host
188.165.62[.]40 Remote template host
200.122.128[.]208 POWERSHOWER C2
108.170.52[.]158 Remote template host
Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.