Beware of Weaponized Office Documents that Deliver VenomRAT

Since office documents are often used in business communications, hackers take advantage of this fact to disseminate malicious malware easily.

Hackers can mislead users into unintentionally activating malware by hiding it in documents that appear to be safe, which gives the malware access to systems and networks.

Cybersecurity researchers at AhnLab Security Intelligence Center (ASEC) recently identified that hackers have been actively exploiting the weaponized Office documents to deliver VenomRAT.

Free Trial

Streaming Malware Service

Open Suspicious Files & Links in the ANY RUN Sandbox Safely; Try All Features for Free. Understand malware behavior, collect IOCs, and easily map malicious actions to TTPs — all in our interactive sandbox.

Free Trial

Office Documents Deliver VenomRAT

ASEC discovered a malicious shortcut file, ‘Survey.docx.lnk,’ which delivers VenomRAT (AsyncRAT), and it’s disguised as a legit Word file that is bundled in a compressed file with a genuine text file. 

The attack uses ‘blues.exe’ masked as a Korean company’s certificate, which urges caution. The LNK file executes malicious commands connecting to an external URL through “mshta.” The decoded URL reveals PowerShell commands downloading files to %appdata%. 

The downloaded ‘qfqe.docx’ seems innocent, but ‘blues.exe’ is a malware downloader. Executing it downloads additional scripts through PowerShell, including ‘sys.ps1,’ which further fetches data from ‘adb.dll’ in a fileless format. 

Besides this, the ‘adb.dll’ contains an encoded shellcode decrypted by XORing Base64 with the ‘sorootktools’ string.

The executed shellcode by VenomRAT (AsyncRAT) conducts the following things:-

• Keylogging
• PC info leaks
• Obeys threat actor commands

The malicious shortcut files resembling legit documents actively spread and demand user vigilance due to the hidden ‘.lnk’ extension.

IoCs

File Detection

• Trojan/LNK.Runner (2024.01.16.00)
• Trojan/HTML.Agent.SC196238 (2024.01.17.00)
• Trojan/Win.Generic.C5572807 (2024.01.12.03)
• Trojan/PowerShell.Agent (2024.01.17.00)
• Trojan/Win.Generic.C5337844 (2022.12.21.00)

Behavior Detection

• Execution/MDP.Powershell.M2514

MD5

• 2dfaa1dbd05492eb4e9d0561bd29813b
• f57918785e7cd4f430555e6efb00ff0f
• e494fc161f1189138d1ab2a706b39303
• 2d09f6e032bf7f5a5d1203c7f8d508e4
• 335b8d0ffa6dffa06bce23b5ad0cf9d6

C&C

• hxxp://194.33.191[.]248:7287/docx1.hta
• hxxp://194.33.191[.]248:7287/qfqe.docx
• hxxp://194.33.191[.]248:7287/blues.exe
• hxxp://194.33.191[.]248:7287/sys.ps1
• hxxp://194.33.191[.]248:7287/adb.dll
• 194.33.191[.]248:4449