A recently discovered RTF documents that contain malicious VBA Macro code distributing to infect the windows users with dangerous Remote access Trojan ( RAT ). NetwiredRC and Quasar.
NetWiredRC and Quasar is a remote access Trojan that used by cyber-criminals to gain complete control of victim’s computer remotely.
Malware authors always finding a unique way to distributing and execute the malware using various social engineering method via malicious documents.
Both Remote access Trojan capable of performing various malicious operations such as remote webcam, remote shell and keylogging.
In this scenario, both critical RAT has dropped by macro contain malicious RTF documents with Excel sheets.
Recent days macro enabled malicious documents based malware attacks are widely discovered and getting into large number victims since the Microsoft documents are mainly used platform for the organization as well as individuals for various operations.
Also Read: Mirai Based Botnet “OMG” Turns IoT Device into a Proxy Server
Initially, the Malicious RTF document spreading via social engineering campaign which consists of Macro Excel sheets.
Once a user clicks the RTF Document, embedded macro repeatedly showing the popup and forcing users to enable the Macros.
In this case, there is no way to stop the popups excepts to click and force stop the whole documents and macro warning popup 1o times because it contains 10 excel documents.
Malware author used a method called “\objupdate” control in embedded excel sheet that helps to execute the Macro code during the RTF document loaded and this method was abused the CVE-2017-0199, but it is not used in this worst-case scenario.
According to zscaler Reseachers, We observed two variations of the malicious macro in this campaign (see Fig. 5). Although the macro code is identical, it is executing the PowerShell command to download intermediate payloads using Schtasks and cmd.exe.
Later Powershell downloads a malicious VBS Script and executes it the final payload that NetwiredRC and QusarRat.
The malware also permanently enables macros for Word, PowerPoint, and Excel by doing registry modification and disable the protected view settings.
Hackers prefer phishing as it exploits human vulnerabilities rather than technical flaws which make it a highly effective and low-cost…
A very important message from the Norwegian National Cyber Security Centre (NCSC) says that Secure Socket Layer/Transport Layer Security (SSL/TLS)…
Linux is widely used in numerous servers, cloud infrastructure, and Internet of Things devices, which makes it an attractive target…
ViperSoftX malware, known for stealing cryptocurrency information, now leverages Tesseract, an open-source OCR engine, to target infected systems, which extracts…
Santander has confirmed that there was a major data breach that affected its workers and customers in Spain, Uruguay, and…
The U.S. government has offered a prize of up to $5 million for information that leads to the arrest and…
