InQuest Blog

Tools used by threat actors aimed at Ukraine and neighboring countries are constantly changing. Since in many cases the context of successful attacks is the use of documents in email attachments, we will consider some of the novelties of attackers that target Ukrainian government organizations. When these tools shattered like grains of sand, we named it GlowSand.

Microsoft Office has been a long favorite delivery mechanism for malicious payloads, from pen-testers to nation-state threat actor groups, and for good reason. Widely adopted. Large attack surface. Robust legacy support. These traits have been the source of news headlines for decades. This brings us to 2022. On May 27th, @nao_sec Tweeted about a suspicious document pivoting through Microsoft's Support Diagnostic Tool via the 'ms-msdt' scheme. The timing of this in-the-wild discovery coincided with a US holiday, and over the weekend the vulnerability picked up the name "Follina". On May 31st, we saw an official acknowledgment from Microsoft and formalized on CVE-2022-30190.

Some time ago, we discovered an interesting company distributing malicious documents. Which used the download chain as well as legitimate payload hosting services. In this report, we will show the technical side of this campaign and provide additional indicators.

One of our mantras at InQuest is that “there is no silver bullet” and our platform is architected with this in mind. There are some great technologies that we both build on and integrate with and, where there are gaps, we engineer solutions. In a nutshell, we multiplex multiple technologies in tandem. Similarly, our open research portal labs.inquest.net empowers analysts to draw conclusions about a given sample through multiple lenses.

A few days ago, we discovered an interesting sample that we believe is part of the Nobelium campaign, also known as Dark Halo. The document was uploaded to the VirusTotal service from Spain. It contains an attractive visual lure representing a document from the Israeli embassy. We will look at the threat vector and provide some indicators of attack that can help defenders identify or respond.