Discover and read the best of Twitter Threads about #MalDoc
Most recents (3)
Recorded Future analysts monitor targeting of ethnic and religious minorities by Chinese state-sponsored groups. In the first half of 2022, #TA413 exploited zero-days #Follina and CVE-2022-1040 with new custom backdoor #LOWZERO in Tibetan targeting. 1/9 bit.ly/3LwzoDf
#MalDoc lures, in Tibetan language, pose as applications for compensation, contest... This one sent from tibet[.]bet was weaponized with #RoyalRoad SHA 028e07fa88736f405d24f0d465bc789c3bcbbc9278effb3b1b73653847e86cf8, drops #LOWZERO and contacts hardcoded C2 45.77.19[.]75. 2/9 
Interesting #maldoc
#TrickBot is distributed using a maldoc that uses #Emotet Template:
Process:
- It drops a small dll (1.xml) and executes its by creating an Outlook instance that calls rundll to execute 1.xml
- Drops a PS file and executes it
- Downloads and executes TrickBot
#TrickBot is distributed using a maldoc that uses #Emotet Template:
Process:
- It drops a small dll (1.xml) and executes its by creating an Outlook instance that calls rundll to execute 1.xml
- Drops a PS file and executes it
- Downloads and executes TrickBot
Maldoc:
b2859b4165a3047632174c1cd26b6756
1.xml:
8de70541621842ae7e3e6e21b41ee155
TrickBot download urls:
http://91.92.109.142/wolf.png
http://192.99.255.33/images/wolf.png
http://83.138.53.103/images/wolf.png
http://172.96.189.216/images/wolf.png
b2859b4165a3047632174c1cd26b6756
1.xml:
8de70541621842ae7e3e6e21b41ee155
TrickBot download urls:
http://91.92.109.142/wolf.png
http://192.99.255.33/images/wolf.png
http://83.138.53.103/images/wolf.png
http://172.96.189.216/images/wolf.png
TrickBot:
ad5ad0ce03a4de9de5829cdf2ec78d59
b4dcf8f35e2ba2fa4af1ec6c95d4c179
efaf7ddf9bc9398f18c76bf16e23755e
ff1f685e2a3381d277e71580e1166b06
a051cc64e345d440606d3c28463b8f95
ad5ad0ce03a4de9de5829cdf2ec78d59
b4dcf8f35e2ba2fa4af1ec6c95d4c179
efaf7ddf9bc9398f18c76bf16e23755e
ff1f685e2a3381d277e71580e1166b06
a051cc64e345d440606d3c28463b8f95
Want to make those #xlm macros particularly resistant to AV? Get yourself a copy of Office 2003 and use the XOR Obfuscation method of encryption to protect your document with default password (VelvetSweatshop). Suddenly your #maldoc is invisible. Example: virustotal.com/gui/file/c3466…
The example I posted is otherwise identical to this document I generated with #macrome - virustotal.com/gui/file/e23f9…. Goes from 11 detections to 0.
AV knows about the VelvetSweatshop trick, but they don't know how to decrypt the XOR Obfuscation method.
AV knows about the VelvetSweatshop trick, but they don't know how to decrypt the XOR Obfuscation method.
The MS-OFFCRYPTO specification is actually full of goodies if you give it a read. XOR Obfuscation is described at docs.microsoft.com/en-us/openspec…. It's a legacy format stemming from the crypto-is-a-munition days. It's trivial to bypass, but unsupported by most document forensic tools.
