Trojanized DOCS with Malicious Macros





Published on: 13 April, 2018


Microsoft Word Document with malicious VBA macro with an obfuscated PowerShell script, found spreading. The malicious macros that requires the user to enable and once enabled, it puts together an obfuscated command and runs it in the background. The obfuscated command contains an obfuscated PowerShell script that instructs the host to visit each one of the five hardcoded URIs until a 32-bit Windows Executable is downloaded.

URL's:


  1. about.megaxus.com/v1/images/article/IpjKJT/
  2. erste.vip/nH0tN/
  3. www.umbriawifi.it/Ue8J/
  4. www.fatihhakanince.xyz/qgBiS
  5. tceele.com/NCbJ/

If the download is successful, it will be located in the %PUBLIC% folder with a random name generated within the integer range from 10000 to 282133.

Domain:


  1. about.megaxus.com
  2. erste.vip
  3. fatihhakanince.xyz
  4. tceele.com
  5. umbriawifi..it

IP:


  1. 103.216.218.42
  2. 213.205.38.25
  3. 54.169.121.108s

DOC:


  1. fb9fc26235d7b3f7465a6da2d0a60ebf395785372d06a16c9f558b773b0b2c01

Recommendation:


  1. It is recommend to monitor activity to the IP(s) / Domains as a potential indicator of infection.
  2. Disable macros in Microsoft Office products. Some Office products allow for the disabling of macros that originate from outside of an organization and can provide a hybrid approach when the organization depends on the legitimate use of macros. For Windows, specific settings can block macros originating from the Internet from running.
  3. Restrict execution of powershell /WSCRIPT in enterprise environment. Ensure installation and use of the latest version (currently v5.0) of PowerShell, with enhanced logging enabled, script block logging, and transcription enabled. Send the associated logs to a centralized log repository for monitoring and analysis.
  4. Deploy web and email filters on the network. Configure the devices to scan for known bad domains, sources, and addresses; block these before receiving and downloading messages. Scan all emails, attachments, and downloads both on the host and at the mail gateway with a reputable antivirus solution.
    Note: A lot of malicious domains are using TLDs of (.PW, .TOP, .ME) and DYNDNS domains. Monitor connections to such domains.
  5. Enforce application whitelisting on all endpoint workstations. This will prevent droppers or unauthorized software from gaining execution on endpoints.

Reference: