Analysis of Remote Template Injection used by APT

-

 

EXECUTIVE SUMMARY

       Attackers are continually trying to find new ways to target users with malware sent via email.Typically, malicious Word documents that are sent as attachments to phishing emails will themselves contain a script or macro that executes malicious code to get initial access. There are numerous techniques used on these malicious docs to bypass anti-virus detection (VBAStomping, obfuscation, etc.). One such method is Remote Template Injection.

 

TECHNICAL INVESTGATION

         Remote template injection was initially found in 2017 , later used by many APT's such as Gamaredon , Lazarus and many more .It was also listed on MITRE (T1221)

 In this scenario the template with Macro will be hosted on the attacker's server will get executed when the victim clicks on enable macro

 

ANALYSIS OF GAMAREDON's SAMPLE

           The sample of gamaredon group was found by researchers and shared on Malware Bazaar 

Upon opening the sample in word, we can see a dot file loading from other URL 


And in fiddler we can see it tries to connect to external url

 

INDICATOR OF COMPROMISE(IoC)

md5: 378c0fe6610d9afbc8c9346d50589966

SHA256: 5c20d1f0c60a10e7d656c1a3198554356c4ebe5a801d356fd2150e29f182ede1

hxxp://tomond[.]ru/VZ/select/basis/never.dot 

195.133.5.173

 

REFERENCES:

1. https://blog.sunggwanchoi.com/remote-template-injection/


Popular posts from this blog

Lock -(B)- it : A Tale of Ransomware

-
Image
EXECUTIVE SUMMARY              * LockBit is one of the world's most active ransomware group connected to various high-profile attacks. This Blog consists of below Intel related to LockBit Group                                     • LockBit & Underground Forums                  • Affiliates & Partners                 • LockBit Blog - Leaked Data's                  • LockBit's Builder       LOCKBIT & UNDERGROUND FORUMS        * LockBit's presence in reputed Russian Underground Forums allows it to Hire affiliates for their ransomware & other malware developers as per need. Some of the most interesting  profiles are posted below.   Profiles (LockBit's Profile on one of the top russian underground forums) (LockBit's Profile on other Russian board) (LockBit's post's on Same Underground Forum) (Lockbit sponsered competiton of $15,000 AFFILIATES & PARTNERS                             * As a RaaS Model , LockBit requires affiliates to get ini
Read more

Analysis of Latin American Bot (Vadokrist) : Part I - Mechanism & Dropper

-
Image
  EXECUTIVE SUMMARY         Vadokrist Trojan aims to steal credentials from victims’ machines and to create banking overlay windows when the victim visits their home banking portals. Here is the list of known Latin American banking Trojans                  • Grandoreiro                  • URSA                  • Javali                   • Vadokrist (aka) Mispadu DISTRIBUTION         Vadokrist is propagated via social engineering schemas – namely, phishing/malscam campaigns TECHNICAL ANALYSIS            Abusing MSI (Windows Installer) was one of the growing threat in cyber industry. In this sample the msi file acts as a dropper for VadoKrist Trojan          Here we can see the obfuscated JS code Binded into Windows Installer (MSI) which drop a zip file and extracts Vadokrist Trojan    Here is the Full obfuscated code of the dropper                                             
Read more