Hackers are leveraging the ubiquity of office documents in business communications to disseminate malicious malware easily, exploiting users who unwittingly activate malware hidden in seemingly harmless documents. The AhnLab Security Intelligence Center (ASEC) recently uncovered a sophisticated attack where hackers employ weaponized Office documents, specifically a deceptive shortcut file named ‘Survey.docx.lnk,’ to deliver the VenomRAT malware. This malware, disguised as a legitimate Word file bundled with a genuine text file, uses a Korean company’s certificate (‘blues.exe’) to execute malicious commands connecting to an external URL through “mshta.” The decoded URL reveals PowerShell commands that download files to %appdata%, including the seemingly innocent ‘qfqe.docx,’ which is, in fact, a malware downloader.
Upon execution, ‘blues.exe’ downloads additional scripts through PowerShell, including ‘sys.ps1,’ which fetches data from ‘adb.dll’ in a fileless format. The ‘adb.dll’ contains an encoded shellcode decrypted by XORing Base64 with the ‘sorootktools’ string. The executed shellcode by VenomRAT (AsyncRAT) carries out keylogging, PC info leaks, and obeys commands from threat actors. The malicious shortcut files, resembling legitimate documents, actively spread and demand user vigilance due to the hidden ‘.lnk’ extension. The Indicators of Compromise (IoCs) provided include file detections, behavior detections, and specific MD5 hashes, as well as Command and Control (C&C) URLs associated with the attack.
In response to this threat, users are cautioned to exercise vigilance and scrutiny when dealing with office documents, especially those received from unfamiliar or untrusted sources. The attackers’ use of deceptive file extensions and camouflage within seemingly harmless documents underscores the importance of user awareness and robust cybersecurity practices to mitigate the risk of falling victim to such sophisticated malware attacks. The provided IoCs can serve as valuable indicators for cybersecurity professionals to detect and respond to potential instances of the VenomRAT attack.
