Discover and read the best of Twitter Threads about #MalDoc

Most recents (3)

Recorded Future analysts monitor targeting of ethnic and religious minorities by Chinese state-sponsored groups. In the first half of 2022, #TA413 exploited zero-days #Follina and CVE-2022-1040 with new custom backdoor #LOWZERO in Tibetan targeting. 1/9 bit.ly/3LwzoDf
#MalDoc lures, in Tibetan language, pose as applications for compensation, contest... This one sent from tibet[.]bet was weaponized with #RoyalRoad SHA 028e07fa88736f405d24f0d465bc789c3bcbbc9278effb3b1b73653847e86cf8, drops #LOWZERO and contacts hardcoded C2 45.77.19[.]75. 2/9 Image
Sent from the same domain, this lure has #phishing email links to tibet-gov.web[.]app posing as the Tibetan government-in-exile. Sent in 2 waves, the 1st email links to .docx attachment hosted on Google Firebase which attempts #Follina via the ms-msdt MSProtocol URI scheme. 3/9 Image
Read 9 tweets
Interesting #maldoc
#TrickBot is distributed using a maldoc that uses #Emotet Template:

Process:
- It drops a small dll (1.xml) and executes its by creating an Outlook instance that calls rundll to execute 1.xml
- Drops a PS file and executes it
- Downloads and executes TrickBot ImageImageImage
Maldoc:
b2859b4165a3047632174c1cd26b6756

1.xml:
8de70541621842ae7e3e6e21b41ee155

TrickBot download urls:
http://91.92.109.142/wolf.png
http://192.99.255.33/images/wolf.png
http://83.138.53.103/images/wolf.png
http://172.96.189.216/images/wolf.png
TrickBot:
ad5ad0ce03a4de9de5829cdf2ec78d59
b4dcf8f35e2ba2fa4af1ec6c95d4c179
efaf7ddf9bc9398f18c76bf16e23755e
ff1f685e2a3381d277e71580e1166b06
a051cc64e345d440606d3c28463b8f95
Read 3 tweets
Want to make those #xlm macros particularly resistant to AV? Get yourself a copy of Office 2003 and use the XOR Obfuscation method of encryption to protect your document with default password (VelvetSweatshop). Suddenly your #maldoc is invisible. Example: virustotal.com/gui/file/c3466… Image
The example I posted is otherwise identical to this document I generated with #macrome - virustotal.com/gui/file/e23f9…. Goes from 11 detections to 0.

AV knows about the VelvetSweatshop trick, but they don't know how to decrypt the XOR Obfuscation method.
The MS-OFFCRYPTO specification is actually full of goodies if you give it a read. XOR Obfuscation is described at docs.microsoft.com/en-us/openspec…. It's a legacy format stemming from the crypto-is-a-munition days. It's trivial to bypass, but unsupported by most document forensic tools.
Read 6 tweets

Related hashtags

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!