![]() “The threat actor operates the C&C server in a limited daily window, going online only for a few hours each day, making it harder to analyze and gain access to the advanced parts of the infection chain,” said researchers. The file, intel.wll, then downloads a DLL file, which serves as the loader for the malware, and which also communicates with the threat actor’s command-and-control (C2) server. “This not only serves as a persistence technique, but also prevents the infection chain from fully ‘detonating’ if run inside a sandbox, as a relaunch of Microsoft Word is required for the full execution of the malware,” said researchers. This tool, commonly used by various Chinese threat actors, allows the attacker to create customized documents with embedded objects that exploit unspecified vulnerabilities in Equation Editor, a tool for building complex equations in Microsoft Word.Īfter the victim opens the specially crafted RTF document, and the Microsoft Word vulnerability is exploited, a malicious file (intel.wll) is dropped into the Microsoft Word startup folder (%APPDATA%\Microsoft\Word\STARTUP). The RTF files attached to the email were actually weaponized using a version of a tool named RoyalRoad. The emails allege to be from the Mongolian Ministry of Foreign Affairs, and claim to inform victims about the prevalence of new coronavirus infections. “This specific campaign leverages the COVID-19 pandemic to lure victims to trigger the infection chain.” “In this campaign, we observed the latest iteration of what seems to be a long-running Chinese-based operation against a variety of governments and organizations worldwide,” said researchers with Check Point Research, in a Thursday post. Once opened, a custom and unique remote-access trojan (RAT) is executed that takes screenshots of the device, develops a list of files and directories, downloads files and more. Researchers identified two suspicious Rich Text Format files (RTF - a text file format used by Microsoft products) targeting the Mongolian public sector. ![]() An advanced persistent threat (APT) group is leveraging the coronavirus pandemic to infect victims with a previously unknown malware, in a recently discovered campaign that researchers call “Vicious Panda.”
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |