It is not exceptional for hackers to use Microsoft Word macros as the forerunners of an in-depth attack on bulk users. An unidentified group of attackers has used Microsoft Word files containing macros to download a more serious PowerShell script from GitHub.
GitHub-hosted malware
This PowerShell script, hosted on GitHub, surreptitiously plans a Cobalt Strike script on Windows systems. The PowerShell script will download a legitimate-looking image from Imgur, the popular image-sharing website, to make this possible. While no single authorship can be attributed to the threat, researchers have many theories.
For instance, some say that the malware strand is related to MuddyWater, also known as SeedWorm and TEMP.Zagros. MuddyWater made its debut in the malware world in 2017 and has since targeted countries in the Middle East, Europe, and the United States.
This advanced persistent threat was allegedly backed by governments and used advanced phishing techniques to target government officials from many nations. As per the first reports, the new malware attack follows the same suit for infiltrating a user’s device. From there on, however, things are a little different.
The decoded code that executed is a cobalt strike script. Once decode with the XOR Op, We can note the shellcode use the eicar string for let thinking that a test to the SOC team.This use the Wininet module for contact the C2 in the shellcode. pic.twitter.com/Qlska7DteM
— Arkbird (@Arkbird_SOLG) December 27, 2020
Arkbird, one of the first researchers to expose the malware strand, says that the malware follows a detailed workflow to spawn payloads. In the early stage, the attacker would ship a Microsoft Word file along with one macro.
This macro starts running whenever you open the Word file, and it feeds on the GitHub location of the PowerShell script. The PowerShell script then proceeds to download a legit-seeming image file from Imgur. Despite its colorful designs, the image is used as a decoy to calculate the next part of the payload’s breadth.
The attackers have used steganography techniques to hide malicious codes and other dangerous stuff under the disguise of ordinary files like images or PDF documents. In this case, the decent-looking PNG file will evaluate the scene and recommend the right amount of payload for your computer.
At the time of writing, the attackers seem to have archived the whole malware project since the website, and the GitHub pages aren’t accessible. With that having said, it is impossible to know how many people did download the problematic Word file and ran the macro.
