Sunday, July 21, 2024
EHA

Hackers Distributing Malicious RTF Excel Sheets Document and Installing RAT using VBA Macro code

A recently discovered RTF documents that contain malicious VBA Macro code distributing to infect the windows users with dangerous Remote access Trojan ( RAT ). NetwiredRC and Quasar.

NetWiredRC and  Quasar is a remote access Trojan that used by cyber-criminals to gain complete control of victim’s computer remotely.

Malware authors always finding a unique way to distributing and execute the malware using various social engineering method via malicious documents.

Both Remote access Trojan capable of performing various malicious operations such as remote webcam, remote shell and keylogging.

In this scenario, both critical RAT has dropped by macro contain malicious RTF documents with Excel sheets.

Recent days macro enabled malicious documents based malware attacks are widely discovered and getting into large number victims since the Microsoft documents are mainly used platform for the organization as well as individuals for various operations.

Also Read:  Mirai Based Botnet “OMG” Turns IoT Device into a Proxy Server

RAT Infection Flow with VBA Macro Code

Initially, the Malicious  RTF document spreading via social engineering campaign which consists of Macro Excel sheets.

Once a user clicks the  RTF Document, embedded macro repeatedly showing the popup and forcing users to enable the Macros.

In this case, there is no way to stop the popups excepts to click and force stop the whole documents and macro warning popup 1o times because it contains 10 excel documents.

Infection Flow

Malware author used a method called “\objupdate” control in embedded excel sheet that helps to execute the Macro code during the RTF document loaded and this method was abused the CVE-2017-0199, but it is not used in this worst-case scenario.

According to zscaler Reseachers, We observed two variations of the malicious macro in this campaign (see Fig. 5). Although the macro code is identical, it is executing the PowerShell command to download intermediate payloads using Schtasks and cmd.exe.

Later Powershell downloads a malicious VBS Script and executes it the final payload that NetwiredRC and QusarRat.

The malware also permanently enables macros for Word, PowerPoint, and Excel by doing registry modification and disable the protected view settings.

Website

Latest articles

Hackers Claiming Dettol Data Breach: 453,646 users Impacted

A significant data breach has been reported by a threat actor known as 'Hana,'...

CrowdStrike Update Triggers Widespread Windows BSOD Crashes

A recent update from cybersecurity firm CrowdStrike has caused significant disruptions for Windows users,...

Operation Spincaster Disrupts Approval Phishing Technique that Drains Victim’s Wallets

Chainalysis has launched Operation Spincaster, an initiative to disrupt approval phishing scams that have...

Octo Tempest Know for Attacking VMWare ESXi Servers Added RansomHub & Qilin to Its Arsenal

Threat actors often attack VMware ESXi servers since they accommodate many virtual machines, which...

TAG-100 Actors Using Open-Source Tools To Attack Gov & Private Orgs

Hackers exploit open-source tools to execute attacks because they are readily available, well-documented, and...

macOS Users Beware Of Weaponized Meeting App From North Korean Hackers

Meeting apps are often targeted and turned into weapons by hackers as they are...

Hackers Exploiting Legitimate RMM Tools With BugSleep Malware

Since October 2023, MuddyWater, which is an Iranian threat group linked to MOIS, has...
Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Free Webinar

Low Rate DDoS Attack

9 of 10 sites on the AppTrana network have faced a DDoS attack in the last 30 days.
Some DDoS attacks could readily be blocked by rate-limiting, IP reputation checks and other basic mitigation methods.
More than 50% of the DDoS attacks are employing botnets to send slow DDoS attacks where millions of IPs are being employed to send one or two requests per minute..
Key takeaways include:

  • The mechanics of a low-DDoS attack
  • Fundamentals of behavioural AI and rate-limiting
  • Surgical mitigation actions to minimize false positives
  • Role of managed services in DDoS monitoring

Related Articles