A malicious RTF (Rich Text Format) document has been persistently displaying an alert to ask users to enable macros, Zscaler security researchers have discovered.
As part of this unique infection chain, the malicious document forces the victims to execute an embedded VBA macro designed to download the QuasarRAT and NetWiredRC payloads.
While analyzing the attack, the security researchers discovered that the actor included macro-enabled Excel sheets inside the malicious RTF documents, to trick users into allowing the execution of payloads.
The RTF document features the .doc extension and is opened with Microsoft Word. When that happens, a macro warning popup is displayed, prompting the user to either enable or disable the macro.
........................
........................
