Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- All Word documents used the blue document template (same as used for XML documents last week).
- However, the documents are now actual Word documents (we saw them change back from XML last Friday).
- In Word, I could not edit the macros - I got a MsgBox named "Project Locked" with the text: "project is unviewable"
- I can edit them with LibreOffice, though.
- The command text is now being stored in a textbox on a UserForm .
- There is very little obfuscation being used today.
- Basically, you just have to remove the string "0-1427288548-2036816420" and you're left with the full command string.
- The threat actors are using a "," instead of a "@" to split the URLs in the Powershell cmdlet.
- Word Document File Hashes
- 317dc1f953270002b2f5a18defd88b97
- 530639fe9060a2199b0d23e11df3509a
- 571ae3bd0edacc518f3614fd20d529f3
- edcd5e893ca1f097ff671e0226507026
- Payload URLs
- http://afshari.yazdvip.ir/wp-admin/VsgZpwNmzcAkI_zx
- http://bay4bay.pl/vHVG8NNw7vKlbR_T6ugHFgU8
- http://bitkiselzayiflamailaci.com/JJfY1hQimJW
- http://docksey.com/DpHBOIye11aSt_URbWd
- http://estacaogourmetrs.com.br/WZQNvgEhdko3
- http://kewagamangdentalclinic.co.bw/9itJUnRGTnK_5WKJryG
- http://mupsever.ru/Gnq1HQqJnjUlw2
- http://restauranthub.co.uk/kfr6hGSJtB_8F0
- http://tocsm.ru/qhoEiJLwyNt
- http://www.swisscasinoonline.net/5KfFnVqCDl
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement