HomeCyber BalkansHackers Utilizing Dropbox and Google Docs for Orcinius Malware Delivery

Hackers Utilizing Dropbox and Google Docs for Orcinius Malware Delivery

Published on

spot_img

In recent news, a new Orcinius Trojan has been identified, utilizing a technique called VBA Stomping to conceal its infection. This multi-stage trojan leverages Dropbox and Google Docs to remain updated and distribute second-stage payloads.

Typically, VBA stomping involves removing the VBA source code in a Microsoft Office document, leaving only the compiled form of the macro code known as p-code in the document file.

According to the SonicWall Capture Labs threat research team, the malware contains an obfuscated VBA macro that infiltrates Windows to monitor running windows and keystrokes, while also establishing persistence using registry keys.

The execution of this attack begins with an Excel spreadsheet, such as the “CALENDARIO AZZORTI.xls” file, which serves as the initial method of infection. Within this seemingly innocuous Italian calendar file, three worksheets detailing billing cycles in different cities are included.

The file harbors a VBA macro that has been tampered with using VBA stomping, a technique that obliterates the original source code and leaves only compiled p-code. This modification results in a scenario where analyzing the macro within the document reveals either nothing or a benign copy of the code that activates when the file is opened and closed.

Upon runtime, the file triggers the macro to execute a series of tasks, including hiding warnings, checking registry keys, listing open windows, establishing persistence, accessing encoded URLs for downloads, monitoring keyboard input, and initiating randomized timers for download and activation attempts.

The malicious URLs associated with this threat are www-env.dropbox-dns[.]com, hxxps://docs.google[.]com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download, and hxxps://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1. Research indicates that these URLs have ties to other malicious entities such as Remcos, AgentTesla, Neshta, and HTMLDropper, masquerading as “Synaptics.exe” on VirusTotal. Unfortunately, the pages at both locations were inaccessible during runtime.

The prevalence of harmful cyber activities poses significant risks of misinterpretation, escalation, and dissemination of impacts. It is crucial for organizations and individuals to remain vigilant and adopt comprehensive cybersecurity measures to mitigate such threats.

As the landscape of cyber threats continues to evolve, it is imperative for cybersecurity professionals to stay informed and proactive in defending against sophisticated attacks.Platforms like Cynet XDR offer automated detection and response capabilities for endpoints, networks, and users, providing a holistic approach to cybersecurity defense. By leveraging advanced tools and technologies, organizations can enhance their security posture and safeguard against emerging threats.

Source link

Latest articles

Government Updates UK National Risk Register with Cyber Warnings

The UK government has taken significant steps to address evolving threats in the realm...

LegacyHive Windows Zero-Day Allows Attackers to Take Control of Administrator Registry Hives

A recently uncovered security vulnerability in Windows systems, termed LegacyHive, has raised significant alarms...

Armenia Detains Russian Tourist on U.S. Warrant for REvil Hacker; Lawyers Claim Misidentification

Armenian authorities have detained a Russian national named Aleksandr Ermakov at the request of...

SANS Highlights AI Governance Gap Amid Rising Security Team Usage

AI Integration in Cybersecurity: Balancing Confidence with Deployment Challenges In recent developments within the cybersecurity...

More like this

Government Updates UK National Risk Register with Cyber Warnings

The UK government has taken significant steps to address evolving threats in the realm...

LegacyHive Windows Zero-Day Allows Attackers to Take Control of Administrator Registry Hives

A recently uncovered security vulnerability in Windows systems, termed LegacyHive, has raised significant alarms...

Armenia Detains Russian Tourist on U.S. Warrant for REvil Hacker; Lawyers Claim Misidentification

Armenian authorities have detained a Russian national named Aleksandr Ermakov at the request of...