Process:
- It drops a small dll (1.xml) and executes its by creating an Outlook instance that calls rundll to execute 1.xml
- Drops a PS file and executes it
- Downloads and executes TrickBot
Some updates on this suspected #Lazarus#APT:(thread, 1/4) 1) The remote template is VBA stomped or at least it was able to hide itself from olevba and oledump 2) The remote template drops an obfuscated vbs file and registers it as a scheduled service
3) All the strings in "OneDriveUpdateNew.vbs" are obfuscated and are decoded using "string_decoder" function with a hardcoded key table.
You can see the decoder and list of the decoded strings used by this vbs file here: github.com/HHJazi/APT 2/4
4) The vbs file collects the victim info and builds an HTTP request:
"Username-ComputerName_UUID;OSName" 5) Then it encodes the request using hard coded key and sends the generated request to C2 6) Receives a payload from the C2 and writes it into "%APPDATA%/OD_update.exe" 3/4