This blog post was authored by Hossein Jazi and Jérôme Segura
On June 10, we found a malicious Word document disguised as a resume that uses template injection to drop a .Net Loader. This is the first part of a multi-stage attack that we believe is associated to an APT attack. In the last stage, the threat actors used Cobalt Strike’s Malleable C2 feature to download the final payload and perform C2 communications.
This attack is particularly clever for its evasion techniques. For instance, we observed an intentional delay in executing the payload from the malicious Word macro. The goal is not to compromise the victim right away, but instead to wait until they restart their machine. Additionally, by hiding shellcode within an innocuous JavaScript and loading it without touching the disk, this APT group can further thwart detection from security products.
Lure with delayed code execution
The lure document was probably distributed through spear phishing emails as a resume from a person allegedly named “Anadia Waleed.” At first, we believed it was targeting India but it is possible that the intended victims could be more widespread.
Figure 1: Resume
The malicious document uses template injection to download a remote template from the following url:
https://yenile[.]asia/YOOMANHOWYOUDARE/indexb.dotm
Figure 2: Template injection
The domain used to host the remote template was registered on February 29, 2020 by someone from Hong Kong. Creation time for the document is 15 days after this domain registration.
The downloaded template, “indexa.dotm”, has an embedded macro with five functions:
Document_Open
VBA_and_Replace
..
Support the originator by clicking the read the rest link below.
