Hackers use macros in Microsoft Office documents to distribute malicious scripts and it will be executed once the user opens the document such as Word, Excel, or PowerPoint.
With Microsoft office, Dynamic Data Exchange(DDE) used to exchange data between application and attackers using this in wild to execute malicious scripts and to compromise victims.
Security researchers From trustwave spotted a new Email spam campaign with the macro-less approach. Instead, they are using Multi-Stage infection process to install the password stealer malware as a final payload in the victim machine.
Email subjects in Spam Campaign
TNT STATEMENT OF ACCOUNT – {random numbers}...............
Request for Quotation (RFQ) - <{random numbers}>
Telex Transfer Notification
SWIFT COPY FOR BALANCE PAYMENT Once the victim downloads and opens the malicious documents that contain an embedded OLE from their email, it downloads and executes a remote document RTF file.
The Downloaded RTF file exploits the Vulnerability CVE-2017-11882(Microsoft Office Memory Corruption Vulnerability) that target MS Equation Editor tool.
Also Read New Microsoft Office Vulnerabilities Used to Distribute Zyklon Malware that Creating Backdoor
OnceRTF executed it execute an MSHTA command line which downloads and executes a remote HTA file and the HTA file contains obfuscated VBscripts to download the remote binary file that downloads the final payload Password Stealer Malware.
The downloaded malware is capable of stealing the password from email, FTP, and browser by concatenating available memory strings.
Researchers said It’s pretty unusual to find so many stages and vectors being used to download malware. Indeed, this approach can be very risky for the malware author.
With the Microsoft January update, they removed some of the functionalities with Equation Editor which fixes this vulnerability.
Last November Microsoft released best security practices on how to safely open Office documents that contain Dynamic Data Exchange and strongly recommends to review the security feature.
DOCX File MD5: F7DA16B16567A78C49D998AE85021A0F SHA1: 776C469861C3AC30AA63D9434449498456864653 RTF File MD5: 79BCAFD6807332AD2B52C61FE05FFD22 SHA1: 0D8215F88C75CD8FBF2DFAB12D47B520ECE94C52 HTA File MD5: 11B28D4C555980938FE7440629C6E0EC SHA1: 0ADD65090EF957AA054236FF6DD59B623509EC8B Final Payload MD5: EDB27CC321DF63ED62502C172C172D4F SHA1: C4AA4E70521DD491C16CE1FBAB2D4D225C41D1EA
A groundbreaking technique for Kerberos relaying over HTTP, leveraging multicast poisoning, has been recently detailed…
Since mid-2024, cybersecurity researchers have been monitoring a sophisticated Android malware campaign dubbed "Tria Stealer,"…
Proton, the globally recognized provider of privacy-focused services such as Proton VPN and Proton Pass,…
The cybersecurity landscape faces increasing challenges as Arcus Media ransomware emerges as a highly sophisticated…
Proofpoint researchers have identified a marked increase in phishing campaigns and malicious domain registrations designed…
A recent investigation by Unit 42 of Palo Alto Networks has uncovered a sophisticated, state-sponsored…