In recent news, a new Orcinius Trojan has been identified, utilizing a technique called VBA Stomping to conceal its infection. This multi-stage trojan leverages Dropbox and Google Docs to remain updated and distribute second-stage payloads.

Typically, VBA stomping involves removing the VBA source code in a Microsoft Office document, leaving only the compiled form of the macro code known as p-code in the document file.

According to the SonicWall Capture Labs threat research team, the malware contains an obfuscated VBA macro that infiltrates Windows to monitor running windows and keystrokes, while also establishing persistence using registry keys.

The execution of this attack begins with an Excel spreadsheet, such as the “CALENDARIO AZZORTI.xls” file, which serves as the initial method of infection. Within this seemingly innocuous Italian calendar file, three worksheets detailing billing cycles in different cities are included.

The file harbors a VBA macro that has been tampered with using VBA stomping, a technique that obliterates the original source code and leaves only compiled p-code. This modification results in a scenario where analyzing the macro within the document reveals either nothing or a benign copy of the code that activates when the file is opened and closed.

Upon runtime, the file triggers the macro to execute a series of tasks, including hiding warnings, checking registry keys, listing open windows, establishing persistence, accessing encoded URLs for downloads, monitoring keyboard input, and initiating randomized timers for download and activation attempts.

The malicious URLs associated with this threat are www-env.dropbox-dns[.]com, hxxps://docs.google[.]com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download, and hxxps://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1. Research indicates that these URLs have ties to other malicious entities such as Remcos, AgentTesla, Neshta, and HTMLDropper, masquerading as “Synaptics.exe” on VirusTotal. Unfortunately, the pages at both locations were inaccessible during runtime.

The prevalence of harmful cyber activities poses significant risks of misinterpretation, escalation, and dissemination of impacts. It is crucial for organizations and individuals to remain vigilant and adopt comprehensive cybersecurity measures to mitigate such threats.

As the landscape of cyber threats continues to evolve, it is imperative for cybersecurity professionals to stay informed and proactive in defending against sophisticated attacks.Platforms like Cynet XDR offer automated detection and response capabilities for endpoints, networks, and users, providing a holistic approach to cybersecurity defense. By leveraging advanced tools and technologies, organizations can enhance their security posture and safeguard against emerging threats.

Source link