Collaborate Disseminate
The number of malicious documents generated every day keeps growing for a while. To produce this huge amount of files, the process must be automated. I found on Pastebin a Python script to generate malicious Office documents. Let’s have a look at it… Continue reading [SANS ISC] Diving into a Simple Maldoc Generator
Researchers warn that the code behind this remote access trojan has been tweaked in an attempt to decrease antivirus detection. Continue reading Updated GravityRAT Malware Adds Advanced AV Detection
Microsoft patched a bug that allowed attackers to steal a target’s Windows account password via previewed Outlook message. Continue reading Outlook Bug Allowed Hackers to Use .RTF Files To Steal Windows Passwords
When a Rich Text(RTF)email is previewed in Microsoft Outlook,remotely-hosted OLE content is retrieved without requiring any additional user interaction. This can leak private information including the user’s password hash,which may be cracked by an attacker. Continue reading VU#974272: Microsoft Outlook retrieves remote OLE content without prompting
A new wave of document attacks targeting inboxes do not require enabling macros in order for adversaries to trigger an infection chain that ultimately delivers FormBook malware. Continue reading Word Attachment Delivers FormBook Malware, No Macros Required
Malicious e-mail attachments used in this campaign don’t display any warnings when opened and silently install malware. Continue reading Word-based Malware Attack Doesn’t Use Macros
I published the following diary on isc.sans.org: “Interesting VBA Dropper“. Here is another sample that I found in my spam trap. The technique to infect the victim’s computer is interesting. I captured a mail with a malicious RTF document (SHA256: c247929d3f5c82247db9102d2dec28c27f73dc0824f8b386f92aad1a22fd8edd) that exploits the OLE2Link vulnerability (CVE-2017-0199). Once opened, the
[The post [SANS ISC] Interesting VBA Dropper has been first published on /dev/random]
An email with the subject of Fwd: Re: Order pretending to come from info@anashin.am with a malicious word doc attachment delivers malware They are using email addresses and subjects that will scare or entice a user to read the email and open the attachment. A very high proportion are being targeted at … Continue reading → Continue reading another fake order email with rtf attachment delivers malware
An email with the subject of Fwd: BL copy coming from pedro.estaba@cindu.com.ve with a malicious word doc attachment delivers malware using the RTF exploit CVE-2017-0199. The word doc is actually a RTF doc. It is highly likely that recipients will get a similar email with different senders and email body content, imitating … Continue reading → Continue reading Fwd: BL copy malspam uses RTF exploit CVE-2017-0199 to deliver malware
The Microsoft.NET framework fails to properly parse WSDL content,which can allow a remote,unauthenticated attacker to execute arbitrary code on a vulnerable system. Continue reading VU#101048: Microsoft .NET framework WSDL parser PrintClientProxy remote code execution vulnerability