Blog

IQ-FA004: Multiple Actors Abusing New Macro Methods

By: William MacArthur
May 18, 2020

We wanted to go through and release some of the more interesting examples that we are running into regarding the era of the hidden (very hidden) documents, which we will publish in more flash reports and tweets going forward. .

It is not a surprise to us that the method we have described from our previous blog posts aimed at this behavior’s ZLoader 4.0 Macrosheets Evolution Hidden Sheets, Data Connections, and XLM Macros and has gained popularity.

XLSM leading to Parasite Stealer

InQuest Score

InQuest Score

InQest Labs Embeded Logic

VirusTotal XLSM Score

VirusTotal PE Score

Date Observed

Indicator Type

Indicator          

Notes/Reports

5/18/2020    

Maldoc Hash   

 a76b0b87bea1a1e760cb65790f0c89748b37210a56295ca7a4b96b549a0598b0  

InQuest Labs VirusTotal

5/18/2020    

URL   

 http://csgo-run.xyz/dl.exe  

/dl.exe

5/18/2020    

URL   

 http://176.96.238.140/gate.php  

/gate.php

5/18/2020    

IP Address 

 193.70.18.84  

AS16276 FR OVH

5/18/2020    

IP Address   

 176.96.238.140  

AS207319 RU MSKHOST

5/18/2020    

Domain  

 csgo-run.xyz  

csgo-run.xyz@regprivate.ru

5/18/2020    

Malware Payload  

 a5969850c72e45cffff2dcd7d6e80751f40dbc8fd4c48d653275503a7ea1e323  

VirusTotal Any.Run

VT-GRAPH


 


 

 

Free Email Hygiene Analysis

Solid email security begins with proper email hygiene. There are a variety of email hygiene technologies and wrapping one’s head around them all is challenging. Try our complimentary Email Hygiene Analysis and receive an instant report about your company’s security posture including a simple rating with iterative guidance, as well as a comparison against the Fortune 500. Try it today!

Free Email Hygiene Analysis

all flash alertsv4 macro
About the Author

William MacArthur

Director of Threat Intelligence
William MacArthur has extensive experience in dealing with cyber threats. He has been involved in many key roles in numerous high-profile investigations. These included identifying victims of domain shadowing, sinkholing command and control domains for Flame Malware, suspending hundreds of thousands of malicious domains, investigating phishing attacks, cleaning up compromised servers, and mitigating large-scale DDoS attacks.
More about this author
Back to Blog

InQuest, LLC
1204 San Antonio St, 2nd Floor
Austin, Texas 78701, USA

Phone
+1 (866) 982-0561

Web Support
support.inquest.net

Support
support@inquest.net

Sales
sales@inquest.net

PGP Key
inquest.pgp

© Copyright 2024 InQuest