Since workplace paperwork are sometimes utilized in enterprise communications, hackers reap the benefits of this reality to disseminate malicious malware simply.
Hackers can mislead customers into unintentionally activating malware by hiding it in paperwork that look like protected, which provides the malware entry to programs and networks.
Cybersecurity researchers at AhnLab Safety Intelligence Heart (ASEC) just lately recognized that hackers have been actively exploiting the weaponized Workplace paperwork to ship VenomRAT.
Open Suspicious Recordsdata & Hyperlinks within the ANY RUN Sandbox Safely; Attempt All Options for Free. Perceive malware conduct, acquire IOCs, and simply map malicious actions to TTPs — all in our interactive sandbox.
Workplace Paperwork Ship VenomRAT
ASEC found a malicious shortcut file, ‘Survey.docx.lnk,’ which delivers VenomRAT (AsyncRAT), and it’s disguised as a legit Phrase file that’s bundled in a compressed file with a real textual content file.
The assault makes use of ‘blues.exe’ masked as a Korean firm’s certificates, which urges warning. The LNK file executes malicious instructions connecting to an exterior URL by “mshta.” The decoded URL reveals PowerShell instructions downloading information to %appdata%.
The downloaded ‘qfqe.docx’ appears harmless, however ‘blues.exe’ is a malware downloader. Executing it downloads further scripts by PowerShell, together with ‘sys.ps1,’ which additional fetches information from ‘adb.dll’ in a fileless format.
Moreover this, the ‘adb.dll’ accommodates an encoded shellcode decrypted by XORing Base64 with the ‘sorootktools’ string.
The executed shellcode by VenomRAT (AsyncRAT) conducts the next issues:-
- Keylogging
- PC data leaks
- Obeys risk actor instructions
The malicious shortcut information resembling legit paperwork actively unfold and demand consumer vigilance as a result of hidden ‘.lnk’ extension.
IoCs
File Detection
- Trojan/LNK.Runner (2024.01.16.00)
- Trojan/HTML.Agent.SC196238 (2024.01.17.00)
- Trojan/Win.Generic.C5572807 (2024.01.12.03)
- Trojan/PowerShell.Agent (2024.01.17.00)
- Trojan/Win.Generic.C5337844 (2022.12.21.00)
Habits Detection
- Execution/MDP.Powershell.M2514
MD5
- 2dfaa1dbd05492eb4e9d0561bd29813b
- f57918785e7cd4f430555e6efb00ff0f
- e494fc161f1189138d1ab2a706b39303
- 2d09f6e032bf7f5a5d1203c7f8d508e4
- 335b8d0ffa6dffa06bce23b5ad0cf9d6
C&C
- hxxp://194.33.191[.]248:7287/docx1.hta
- hxxp://194.33.191[.]248:7287/qfqe.docx
- hxxp://194.33.191[.]248:7287/blues.exe
- hxxp://194.33.191[.]248:7287/sys.ps1
- hxxp://194.33.191[.]248:7287/adb.dll
- 194.33.191[.]248:4449