![]() We saw two archives with two kinds of payloads: one based on NodeJS, and another based on Java.įigure 2. They all have the same function - dropping and executing a JavaScript file, which downloads a ZIP archive, unpacks it, and executes its contents. The documents are embedded with malicious macro, some of which are obfuscated. Some of the names also suggest the social engineering the documents use: TEST1234.docm, Employment Application(2).dotm, tewst123.dotm, test2.docm, 123.doc, test1111.docm, t1.docm, INVOICE.docm, Invoice_Example.dotm, Doc1.docm, Fake Resume.doc, among others. The way the malware is named, for instance, indicates it is still under development. When correlating the variety of malicious documents embedded with DLOADR, we observed certain peculiarities in how it is delivered. Nevertheless, the techniques it employs still make it a credible threat - such as the abuse of legitimate application programming interfaces (APIs) and open-source tools such as Chrome WebDriver and Microsoft WebDriver. This was observed in spam campaigns carrying the TeamSpy malware that abuses TeamViewer to take over affected systems remotely. ![]() More importantly, it also delivers a malicious extension that could serve as a backdoor, stealing information keyed in on browsers.Ībusing legitimate remote access tools (and stealing its configurations) is not new. It delivers a version of the VisIT remote administration tool, which is used to hijack the infected system. The downloader malware's payloads (TROJ_SPYSIVIT.A and JAVA_ SPYSIVIT.A) are what make it notable. Trend Micro detects this malware as JS_DLOADR and W2KM_DLOADR. It appears they are working on a new malware that - based on how they were coded - is most likely intended to spread through spam emails embedded with malicious attachments. We noticed a series of testing submissions in VirusTotal that apparently came from the same group of malware developers in Moldova, at least based on the filenames and the submissions' source.
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |