![]() It then transports each section of the decrypted PE file into the second process to override its existing code. In this way it is able to deploy the decrypted PE file into the newly-created second process. The dynamic code then creates a duplicate of the current process (erbxcb.exe) in a suspended state (by calling the API CreateProcessW() with a CREATE_SUSPENDED flag). As a result, it is able to extract an executable PE file in memory. It then loads the decompressed file %Temp%\ arwtfgxjpx80, mentioned earlier, into memory and calls a function to decrypt it. After that, it executes this “JS” file to finish the Macro’s work.įigure 1.3 is a screenshot of Macro VBA code displaying the JS code to be extracted and the process of writing into local file rtbdxsdcb.js, as well as it being executed.Īs you can see, it calls the Shell function to execute the command to run the JS file:ģ. It then calls other functions to extract a JS (JavaScript) code into a file (rtbdxsdcb.js) under the %temp% folder. This is a built-in function of the Macro and is called automatically when the document is opened. It has a VBA function called Document_Open(). The malicious Macro is executed once the button Enable Content is clicked. To see this content, click on "enable editing" from the yellow bar and then click "Enable content" In either case, I translated it into English using Google translate:ĭocument created in an earlier version of Microsoft Office Word Our best guesses are that this campaign is targeting multiple regions and the wrong document was attached, or this is being done deliberately to disguise the warning. Interestingly, the content of this document is written in Spanish. It asks the recipient to review the materials in the attached Word document and then reply to the email as soon as possible. The spam email looks like an urgent order reminder from a purchase manager. The Email Captured by FortiGuard Labs and the Word Document In this analysis I reveal my findings on this new malware, including how it is launched by the Word document, how the executable deploys itself on the victim’s device, what kind of sensitive information it searches for, and how stolen data is sent to the attacker via SMTP protocol. This malware doesn’t seem to belong to any known malware family, so we named it "dmechant", which is a constant string compiled in the malware sample. However, after I performed some deep research on this phishing campaign, I realized that a fresh malware was being delivered by the Word document designed to steal crypto wallet information and credentials from the victims’ infected devices. The FortiGuard Labs team was recently monitoring a new phishing campaign that uses the classic strategy of attaching a malicious Microsoft Word document to an unsolicited email that recipients were then asked to open. Impact: Collects sensitive information from victims’ computers
0 Comments
Leave a Reply. |