Our comprehensive, active tracking of Dudear operations, attributed to the threat actor CHIMBORAZO (aka TA505), shows that these campaigns relentlessly use multiple layers of detection evasion techniques to try and slip through defenses.
These techniques include the routine use of varying social engineering lures (recent ones include Expense report, fake Citrix ShareFile email, and fake Dropbox notification) and download websites that block traffic from automated analysis, in addition to the CAPTCHA challenge.
The email campaigns also switch between using HTML attachments that lead to a series of redirector websites before eventually leading to the download website, and using malicious URLs that download the malicious HTML, or both.
The downloaded Excel file contains a malicious macro that, per usual, drops the GraceWire payload that is embedded to the document. As another evasion tactic, the embedded file contains a PNG file that contains 2 DLL files, the 32-bit and 64-bit versions of the GraceWire loader.
Even with these evasion tactics, however, Dudear campaigns are detected by Microsoft Threat Protection, driven by its visibility into emails, files, and network activities, and experts who connect the dots to deliver comprehensive protection.
Share this Scrolly Tale with your friends.
A Scrolly Tale is a new way to read Twitter threads with a more visually immersive experience.
Discover more beautiful Scrolly Tales like this.