Security researchers from AlienVault have discovered a new malware strain named GZipDe that appears to be part of a targeted attack —most likely a cyber-espionage campaign.
Researchers discovered this new malware earlier this week after a user from Afghanistan uploaded a boobytrapped Word document on VirusTotal.
The document contained text taken from an article published last month about the Shanghai Cooperation Organization Summit, a political conference on Eurasian political, economic, and security topics.
Malware most likely used for cyber-espionage
Because VirusTotal hides precise information about the source of the upload, the target of this attack is unknown.
"We’ve only seen one sample of the malware," Chris Doman, a security researcher with AlienVault told
Bleeping Computer.
"It seems very targeted," Doman added. "Given the decoy document is in English and uploaded from Afghanistan, it may have been targeting someone in an embassy or similar there."
A GZipDe infection is a multi-step process
This Word file was just the first step in a multi-step infection process, which Doman detailed in a
report published yesterday.
The document lured users into enabling macros, which then executed a Visual Basic script, which ran some PowerShell code, which downloaded a PE32 executable, which later dropped the actual malware —
GZipDe.
... ... ....