- Jul 22, 2014
- 2,525
Office 365 users are being victimized by a new malware variant being sent by email, according to Ironscales and Sandbox.
Bad actors are using a malicious #RTF file to infect machines and trick users into downloading an exe file payload.
The malware was discovered on November 29 by researchers from Ironscales and Sandbox, providers of a phishing threat protection platform.
The attack is a variant of “Formbook,” ready-to-sell malware that can be used by cyber-criminals who lack skill in malware, the researchers say.
The malware is a form-grabber written in C and x86 assembly language, they add.
Microsoft has had to patch the EQNEDT32.EXE process. It might have lost the source code for the process, meaning that it can’t patch against attacks, the firms report.
The malware depends on advanced techniques for lateral movement, stealing an executing thread of the 'explorer.exe' process to execute their own code.
The URL, hxx*ps://f.coka.la/2RTMHs.png, is an EXE file, hidden under the cover of a .PNG file. It is legitimately encrypted, and will bypass regular proxy servers, the result being is that the malicious content remains hidden, the researchers report.
Due to delivery advances, the malware cannot be detected by antivirus and is difficult to monitor.
The researchers have not been able to discern a geographic pattern.
*Link edited...VT
VirusTotal
Bad actors are using a malicious #RTF file to infect machines and trick users into downloading an exe file payload.
The malware was discovered on November 29 by researchers from Ironscales and Sandbox, providers of a phishing threat protection platform.
The attack is a variant of “Formbook,” ready-to-sell malware that can be used by cyber-criminals who lack skill in malware, the researchers say.
The malware is a form-grabber written in C and x86 assembly language, they add.
Microsoft has had to patch the EQNEDT32.EXE process. It might have lost the source code for the process, meaning that it can’t patch against attacks, the firms report.
The malware depends on advanced techniques for lateral movement, stealing an executing thread of the 'explorer.exe' process to execute their own code.
The URL, hxx*ps://f.coka.la/2RTMHs.png, is an EXE file, hidden under the cover of a .PNG file. It is legitimately encrypted, and will bypass regular proxy servers, the result being is that the malicious content remains hidden, the researchers report.
Due to delivery advances, the malware cannot be detected by antivirus and is difficult to monitor.
The researchers have not been able to discern a geographic pattern.
*Link edited...VT
VirusTotal
