Malicious PDFs + Word files = Trouble!!

Hackers are now using a sneaky "#MalDoc in PDF" technique to hide malicious Word files within PDFs.

Find out how this dangerous attack works. https://thehackernews.com/2023/09/beware-of-maldoc-in-pdf-new-polyglot.html

#cybersecurity #malware

Beware of #MalDoc in #PDF: A New Polyglot Attack Allowing Attackers to Evade Antivirus ⚠️

https://thehackernews.com/2023/09/beware-of-maldoc-in-pdf-new-polyglot.html

Polyglots sind Dateien, die zwei unterschiedliche Dateiformate enthalten, die je nach der Anwendung, die sie öffnet, als mehr als ein Dateityp interpretiert und ausgeführt werden können.

Angreifer machen sich das jetzt mit #MalDoc zunutze. https://t.co/ZBUxxp6Tbz

#MalDoc in #PDF, la nuova tecnica elude il rilevamento
#cybersecurity #hacking https://www.matricedigitale.it/notizie/maldoc-in-pdf-la-nuova-tecnica-elude-il-rilevamento/

#MalDoc in #PDF: Japanisches CERT warnt vor in PDFs versteckten #Malware-Dokumenten | Security https://www.heise.de/news/MalDoc-in-PDF-Japanisches-CERT-warnt-vor-versteckter-Malware-9288262.html

「 #MalDoc in #PDF - 検知回避を狙って悪性なWordファイルをPDFファイルへ埋め込む手法」： JPCERTCC

「JPCERT/CCは、7月に発生した攻撃に、検知回避を狙って悪性なWordファイルをPDFファイルへ埋め込む新しいテクニック（以降本記事ではMalDoc in PDFとする）が使用されたことを確認しました。」

https://blogs.jpcert.or.jp/ja/2023/08/maldocinpdf.html

#prattohome #JPCERTCC

Struggling with the wave of OneNote #phishing documents? Did you know you can block OneNote from launching an embedded file, which prevents the current wave of phishing docs.
#DFIR #CSIRT #MalDoc
https://www.bleepingcomputer.com/news/security/how-to-prevent-microsoft-onenote-files-from-infecting-windows-with-malware/

#OneNote #maldoc Our coverage of this #malware campaign includes a breakdown of the attack chain, IOCs, and some other curious details. People unfamiliar with OneNote as a weaponized document format should get used to this; #QakNote #maldocs are probably here to stay. 6/6

https://news.sophos.com/en-us/2023/02/06/qakbot-onenote-attacks/

All the #OneNote #maldoc documents in this case contain a static image that prompts the user to click a button in response to text that says "This document contains attachments from the cloud, to receive them, double click 'open.'" The notebook runs a script like this one. 5/6

#Qakbot's threat actors typically use email messages as their initial attack vector, "injecting" a malicious email into the middle of existing conversational threads, replying to all parties with either a #maldoc attachment or a link to a #malware file. 3/6

@SophosXOps All the #OneNote #maldoc documents in this case contain a static image that prompts the user to click a button in response to text that says "This document contains attachments from the cloud, to receive them, double click 'open.'"

When you open the document, it spawns an embedded HTML Application (eg., an .hta file) with an embedded script. The script retrieves a Qakbot DLL payload from a website and executes the initial infection command. 5/6

@SophosXOps #Qakbot's threat actors typically use email messages as their initial attack vector, "injecting" a malicious email into the middle of existing conversational threads, replying to all parties with either a #maldoc attachment or a link to a #malware file.

They're the worst kind of "reply guy" 3/6

"정상 문서로 위장한 악성코드(kimsuky)" published by Ahnlab. #Kimsuky, #maldoc, #CTI, #OSINT, #LAZARUS https://asec.ahnlab.com/ko/47147/

I wrote a small Python library to extract metadata and embedded files in a #OneNote documents (.one). The OneNote file format is not really documented but it seems to work on the files I tested.

It is published on the @volexity GitHub repository: https://github.com/volexity/threat-intel/tree/main/tools/one-extract
It can be used in #standalone or included easily on any #pipeline.
#CTI #threathunting #maldoc #maliciousdocuments

A malicious doc on the name of Colombian GOV spread as a fake lawsuit and enforced collection.
@dimitribest

#CTI #maldoc

4a69b0a3796dd688d57e11658ac1058c <doc
9792c84f24e1492cc4d179523fdfcb9d < vbs
1e989e84f5967d84f40acabaad3395de < Njrat

IoCs:
hxxps://cdn.discordapp.com/attachments/1047544891632259145/1047971566543179936/2dode8002[.]vbs

hxxps://cdn.discordapp.com/attachments/1047543449777344516/1047971253056708729/2dode8002[.]txt

135d1da64932e6f858f7136f8c2b339f

A malicious doc on the name of Colombian GOV spread as a fake lawsuit and enforced collection.
@dimitribest

#CTI #maldoc

4a69b0a3796dd688d57e11658ac1058c <doc
9792c84f24e1492cc4d179523fdfcb9d < vbs
1e989e84f5967d84f40acabaad3395de < Njrat

IoCs:
hxxps://cdn.discordapp.com/attachments/1047544891632259145/1047971566543179936/2dode8002[.]vbs

hxxps://cdn.discordapp.com/attachments/1047543449777344516/1047971253056708729/2dode8002[.]txt

135d1da64932e6f858f7136f8c2b339f

We published a blog #post about #Lazarus. They are still abusing fake cryptocurrency applications but we also identified #maldoc with #macro (an inception of macros). The purpose is to deploy #AppleJeus variants.

From #reverse point of view, they implemented an uncommon side-loading technique. The malicious DLL is not directly loaded by the IAT of a legit binary, but via a legitimate DLL from the System32 repository. More details on the @volexity blog : https://www.volexity.com/blog/2022/12/01/buyer-beware-fake-cryptocurrency-applications-serving-as-front-for-applejeus-malware/
#CTI #threatintel #threatintelligence

Emotet coming in hot - Emotet is a ubiquitous and well-known banking trojan that has evolved over the yea... https://blog.talosintelligence.com/emotet-coming-in-hot/ #threatspotlight #crimeware #topstory #securex #emotet #botnet #maldoc

New campaign uses government, union-themed lures to deliver Cobalt Strike beacons - By Chetan Raghuprasad and Vanja Svajcer. Cisco Talos discovered a malicious campai... http://blog.talosintelligence.com/2022/09/new-campaign-uses-government-union.html #informationstealers #cobaltstrike #securex #threats #maldoc

Transparent Tribe begins targeting education sector in latest campaign - Cisco Talos has been tracking a new malicious campaign operated by the Transparent Tribe ... http://blog.talosintelligence.com/2022/07/transparent-tribe-targets-education.html #malware #securex #threats #maldoc #apt