Malware descriptions

Big Box LatAm Hack (3rd Part – Infection by Office Files)

Malicious macro-enabled Microsoft Office document
The last interesting item found on the same malicious cybercriminal server is a .docm file (a macro-enabled document according to Microsoft Office standards).
big_box_latam_2_1

It is a malicious file that when opened shows its victims the following content:
208216049

If macros are enabled and a victim clicks on the message to supposedly download an MMS message, two pieces of malware are installed into the machines of victims.

Malicious part of the document
The malicious part of the document is located at 0x00000f14 offset, has 18,944 bytes in size and has the name “vbaProject.bin“.

208216050

When it is extracted from the main .docm file, it has two different urls downloading two different pieces of malware. Each image in the macro-enabled file downloads different malware when the victim clicks on it.
The first malware is downloaded from the same malicious server located in Panama and the second one from the Dropbox cloud.
208216051

208216052

Kaspersky Anti-Virus detects both malicious files under the Trojan.MSIL.Agent family.

What is interesting here?

If you look at the image of the document above you will see that the content of the document is in Spanish; however, the language used to edit the document is Turksih. Metadata of the file also confirms it was compiled on a machine where a so-called ilyasOzdogan was the author.

208216053

It is interesting to notice that one of the downloaded malicious MSIL.Agents also has the same user name under the source path inside of the compiled binary:

c:userslyaszdoandocumentsdocumentsvisualstudio2012projectswindowsformsapplication13windowsformsapplication13objdebugwindowsformsapplication13.pdb

What does this mean? It means that Latin American cybercriminals are probably not only in touch with cybercriminals from Eastern Europe but from Turkey too.
Today, some advanced cybercriminals use exploits to infect the machines of victims, but as you can see from this example, this may be a waste of money since the old school tricks still work for them. If you do not believe me, just see how on January 10, when the file was submitted for the first time to VirusTotal, it registered 0 of 48 detections and at the time of writing this post only 2 of 50 anti-virus solutions detected this malicious sample:

208216054

You may follow me on twitter:@dimitribest

Big Box LatAm Hack (3rd Part – Infection by Office Files)

Your email address will not be published. Required fields are marked *

 

Reports

Lazarus targets defense industry with ThreatNeedle

In mid-2020, we realized that Lazarus was launching attacks on the defense industry using the ThreatNeedle cluster, an advanced malware cluster of Manuscrypt (a.k.a. NukeSped). While investigating this activity, we were able to observe the complete life cycle of an attack, uncovering more technical details and links to the group’s other campaigns.

Sunburst backdoor – code overlaps with Kazuar

While looking at the Sunburst backdoor, we discovered several features that overlap with a previously identified backdoor known as Kazuar. Our observations shows that Kazuar was used together with Turla tools during multiple breaches in past years.

Lazarus covets COVID-19-related intelligence

As the COVID-19 crisis grinds on, some threat actors are trying to speed up vaccine development by any means available. We have found evidence that the Lazarus group is going after intelligence that could help these efforts by attacking entities related to COVID-19 research.

Sunburst: connecting the dots in the DNS requests

We matched private and public DNS data for the SUNBURST-malware root C2 domain with the CNAME records, to identify who was targeted for further exploitation. In total, we analyzed 1722 DNS records, leading to 1026 unique target name parts and 964 unique UIDs.

Subscribe to our weekly e-mails

The hottest research right in your inbox