Since office documents are often used in business communications, hackers take advantage of this fact to disseminate malicious malware easily.
Hackers can mislead users into unintentionally activating malware by hiding it in documents that appear to be safe, which gives the malware access to systems and networks.
Cybersecurity researchers at AhnLab Security Intelligence Center (ASEC) recently identified that hackers have been actively exploiting the weaponized Office documents to deliver VenomRAT.
Document
@import url('https://fonts.googleapis.com/css2?family=Poppins&display=swap');
@import url('https://fonts.googleapis.com/css2?family=Poppins&family=Roboto&display=swap');
*{
margin: 0; padding: 0;
text-decoration: none;
}
.container{
font-family: roboto, sans-serif;
width: 90%;
border: 1px solid lightgrey;
padding: 20px;
background: linear-gradient(2deg,#E0EAF1 100%,#BBD2E0 100%);
margin: 20px auto ;
border-radius: 40px 10px;
box-shadow: 5px 5px 5px #e2ebff;
}
.container:hover{
box-shadow: 10px 10px 5px #e2ebff;
}
.container .title{
color: #015689;
font-size: 22px;
font-weight: bolder;
}
.container .title{
text-shadow: 1px 1px 1px lightgrey;
}
.container .title:after {
width: 50px;
height: 2px;
content: ' ';
position: absolute;
background-color: #015689;
margin: 20px 8px;
}
.container h2{
line-height: 40px;
margin: 2px 0;
font-weight: bolder;
}
.container a{
color: #170d51;
}
.container p{
font-size: 18px;
line-height: 30px;
}
.container button{
padding: 15px;
background-color: #4469f5;
border-radius: 10px;
border: none;
background-color: #00456e ;
font-size: 16px;
font-weight: bold;
margin-top: 5px;
}
.container button:hover{
box-shadow: 1px 1px 15px #015689;
transition: all 0.2S linear;
}
.container button a{
color: white;
}
hr{
/ display: none; /
}
Free Trial
Streaming Malware Service
Open Suspicious Files & Links in the ANY RUN Sandbox Safely; Try All Features for Free. Understand malware behavior, collect IOCs, and easily map malicious actions to TTPs — all in our interactive sandbox.
Free Trial
Office Documents Deliver VenomRAT
ASEC discovered a malicious shortcut file, ‘Survey.docx.lnk,’ which delivers VenomRAT (AsyncRAT), and it’s disguised as a legit Word file that is bundled in a compressed file with a genuine text file.
The attack uses ‘blues.exe’ masked as a Korean company’s certificate, which urges caution. The LNK file executes malicious commands connecting to an external URL through “mshta.” The decoded URL reveals PowerShell commands downloading files to %appdata%.
The downloaded ‘qfqe.docx’ seems innocent, but ‘blues.exe’ is a malware downloader. Executing it downloads additional scripts through PowerShell, including ‘sys.ps1,’ which further fetches data from ‘adb.dll’ in a fileless format.
Besides this, the ‘adb.dll’ contains an encoded shellcode decrypted by XORing Base64 with the ‘sorootktools’ string.
Operation process (Source – ASEC)
The executed shellcode by VenomRAT (AsyncRAT) conducts the following things:-
Keylogging
PC info leaks
Obeys threat actor commands
The malicious shortcut files resembling legit documents actively spread and demand user vigilance due to the hidden ‘.lnk’ extension.
IoCs
File Detection
Trojan/LNK.Runner (2024.01.16.00)
Trojan/HTML.Agent.SC196238 (2024.01.17.00)
Trojan/Win.Generic.C5572807 (2024.01.12.03)
Trojan/PowerShell.Agent (2024.01.17.00)
Trojan/Win.Generic.C5337844 (2022.12.21.00)
Behavior Detection
Execution/MDP.Powershell.M2514
MD5
2dfaa1dbd05492eb4e9d0561bd29813b
f57918785e7cd4f430555e6efb00ff0f
e494fc161f1189138d1ab2a706b39303
2d09f6e032bf7f5a5d1203c7f8d508e4
335b8d0ffa6dffa06bce23b5ad0cf9d6
C&C
hxxp://194.33.191[.]248:7287/docx1.hta
hxxp://194.33.191[.]248:7287/qfqe.docx
hxxp://194.33.191[.]248:7287/blues.exe
hxxp://194.33.191[.]248:7287/sys.ps1
hxxp://194.33.191[.]248:7287/adb.dll
194.33.191[.]248:4449
The post Beware of Weaponized Office Documents that Deliver VenomRAT appeared first on GBHackers on Security | #1 Globally Trusted Cyber Security News Platform .
