#APT Attack Targeting Russia

Today, we identified a sample uploaded to DOCGuard that targets Russia. This file uses template injection to connect to C2 and download the next stage.

What is a template injection?

Microsoft Word has a feature where a user can create a document with a template. Whenever a Word document with a template is read, these templates are downloaded from the local or remote machine. Thus, the attackers can host a Word Document Template file (.dotm) with malicious macros on their servers. Whenever the victim opens the Word Document, the Document will fetch the malicious template from the attacker’s server, and execute it.

The advantage of this technique is that template-injected attachments can evade Email Gateways and AV/EDR solutions more than the traditional malicious Word Document.

Infection chain

Word file has a template injection that connects to c2 to download a second stage which has VBA macros. Macros are used to decode the second c2 to download the encoding executable and we can see the infection chain in the next figure.

Technical Analysis

We identified that attacker embedded c2 to get the second stage from it and we can see that in the next figure.

So, we will load the second stage into Cerbero Suite and we can identify a VBA code that is used to decode a base64 C2 and connect to it and we can see that in the next figure.

From the previous figure, we can see that CreateObject is used to connect with Http.Open API and we can see that strings are obfuscated with base64 data, so we will decode the string and we can see that in the next figure.

As seen in the previous figure, we get another c2 which is used to drop a huge base64 data and decode it using base64 and we can see that in the next figure.

When we decoded the data, we realized that the decoded data has a magic header MZ, which is the indicator of being an executable as seen below.

When we save the decoded output and analyze the file we found another URL as seen below.

This final payload has a low detection rate on VT as below.

How to Analyze Template Injection using DOCGuard?

By using DOCGuard, it is possible to get reports of malicious files in a few seconds!

DOCGuard created the report as seen below.

If we jump into the IOCs tab, we can see the details about malicious parts of the document.

In URL section, it is also possible to gather remote locations of the templates.

After downloading the second stage and submitting it to DOCGuard, it detects the file as malicious, and we can see that in the next figure.

DOCGuard detected some blacklist of APIs which used to connect with C2 and we can see that in the next figure.

IOC Type IOC Value
File Name comn701ras.dotm
MD5 889ef5795a8bddef1fa66470c8a2e634
MD5 3ee8ccc3744155cb6bd41ece681c2d3d
MD5 12f938b403dc7d335c21703b67d23f81
MD5 f512ab1d4a38bdfe39451bf678f6bbae
MD5 5f07dcaec225dc8df016129943760329
DOMAIN xodfngua7ssv[.]hopto[.]org
URL https[:]//helpsoc[.]info/doc/comn701bul.dotm
URL https[:]//helpsoc[.]info/doc/comn701ras.dotm
URL https[:]//www[.]dropbox.com/s/raw/wy1he09vcy8wl6n/dbox23-updhelp

Comments are closed.