Malware researchers at Fortinet have discovered a weaponized Word document that is able to start the infection process on both Microsoft and Apple OSs.
Security researchers at Fortinet have spotted a weaponized Word document that has been designed to spread malware on either Microsoft Windows or Mac OS X, it is able to determine which OS is used by the person that opens the document and start the attack.
The documents trick victims into enabling macros, then a malicious VBA code is executed.
Once the VBA code is executed, the AutoOpen() function is automatically invoked. It first reads the data from the “Comments” property of the Word file, a base64-encoded string, and depending on the OS, executes a certain script.
When executed on Mac OS X, the script downloads a malicious file containing another script, written in python, that’s executed and communicate with the control server.
“When the python script is executed, it downloads a file from “hxxps://sushi.vvlxpress.com:443/HA1QE”, and executes it. The downloaded python script is a slightly modified version of the Python meterpreter file, which is also part of the Metasploit framework.” reads the analysis published by Fortinet. “The source code of the project can be downloaded from the following URL: hxxps://github.com/rapid7/metasploit-payloads/blob/master/python/meterpreter/meterpreter.py.”
The above script is a version of a Python Meterpreter file that leverages in-memory DLL injection mechanism.
A similar technique was implemented by the criminal gang tracked as GCMAN and a group of criminals that powered a hacking campaign that leverage on fileless malware in February,
The script used to start the attack on Window systems is much more sophisticated. It implements a “matryoshka” mechanism of powershell scripts and according to the researchers it only works on 64-bit versions of Windows.
Each layer is base64-encoded, once the final level is executed, the script downloads a 64-bit DLL file, which executes and communicates with the control server.
The malware researchers at Fortinet are still analyzing the malicious code.
Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer.
Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US.
Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines.
Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.