@evacide seeing as how it seems like the Paragon attack was executed via maldoc PDFs i'll just mention i created a (surprisingly popular) tool for analyzing (possibly malicious) PDFs after my own unpleasant encounter with such a creature
https://github.com/michelcrypt4d4mus/pdfalyzer
#paragon #infosec #Whatsapp #PDF #pdfalyzer #Malware #maldoc
The embedded Word document contains a VBS macro that is designed to download and install an MSI malware file if opened as a .DOC file in Microsoft Office.
#malware #cybersecurity #PDF #MalDoc
https://cybersec84.wordpress.com/2023/09/04/new-polyglot-maldoc-attack-in-pdf-evades-antivirus/
Beware of #MalDoc in #PDF: A New Polyglot Attack Allowing Attackers to Evade Antivirus ⚠️
https://thehackernews.com/2023/09/beware-of-maldoc-in-pdf-new-polyglot.html
Polyglots sind Dateien, die zwei unterschiedliche Dateiformate enthalten, die je nach der Anwendung, die sie öffnet, als mehr als ein Dateityp interpretiert und ausgeführt werden können.
Angreifer machen sich das jetzt mit #MalDoc zunutze. https://t.co/ZBUxxp6Tbz
#MalDoc in #PDF: Japanisches CERT warnt vor in PDFs versteckten #Malware-Dokumenten | Security https://www.heise.de/news/MalDoc-in-PDF-Japanisches-CERT-warnt-vor-versteckter-Malware-9288262.html
MalDoc in PDF attacks use a combination of Word and PDF files to spread malware https://tchlp.com/3Z2m1l2 #maldoc #pdf #word #malware
A Japanese agency managed to detect a ‘#MalDoc in PDF’ attack, involving #PDFs with embedded malicious #Word files that bypass detection by traditional PDF analysis tools.
#Japan #cybersecurity #infosec #malware
https://cybernews.com/news/jpcert-maldoc-malicious-pdf-attack/
「 #MalDoc in #PDF - 検知回避を狙って悪性なWordファイルをPDFファイルへ埋め込む手法」: JPCERTCC
「JPCERT/CCは、7月に発生した攻撃に、検知回避を狙って悪性なWordファイルをPDFファイルへ埋め込む新しいテクニック(以降本記事ではMalDoc in PDFとする)が使用されたことを確認しました。」
Intro to Malware Analysis - I have just completed this room! Check it out: https://tryhackme.com/room/intromalwareanalysis #tryhackme #security #malware #analysis #malware-analysis #maldoc #virustotal #sandbox #any.run #cuckoo #dfir #ioc #intromalwareanalysis via @RealTryHackMe
Struggling with the wave of OneNote #phishing documents? Did you know you can block OneNote from launching an embedded file, which prevents the current wave of phishing docs.
#DFIR #CSIRT #MalDoc
https://www.bleepingcomputer.com/news/security/how-to-prevent-microsoft-onenote-files-from-infecting-windows-with-malware/
@SophosXOps All the #OneNote #maldoc documents in this case contain a static image that prompts the user to click a button in response to text that says "This document contains attachments from the cloud, to receive them, double click 'open.'"
When you open the document, it spawns an embedded HTML Application (eg., an .hta file) with an embedded, obfuscated script in the DIV tag. That script retrieves a Qakbot DLL payload from a website and executes the initial infection command. 5/6
@SophosXOps #Qakbot's threat actors typically use email messages as their initial attack vector, "injecting" a malicious email into the middle of existing conversational threads, replying to all parties with either a #maldoc attachment or a link to a #malware file.
They're the worst kind of "reply guy" 3/6
I wrote a small Python library to extract metadata and embedded files in a #OneNote documents (.one). The OneNote file format is not really documented but it seems to work on the files I tested.
It is published on the @volexity GitHub repository: https://github.com/volexity/threat-intel/tree/main/tools/one-extract
It can be used in #standalone or included easily on any #pipeline.
#CTI #threathunting #maldoc #maliciousdocuments
A malicious doc on the name of Colombian GOV spread as a fake lawsuit and enforced collection.
@dimitribest
4a69b0a3796dd688d57e11658ac1058c <doc
9792c84f24e1492cc4d179523fdfcb9d < vbs
1e989e84f5967d84f40acabaad3395de < Njrat
IoCs:
hxxps://cdn.discordapp.com/attachments/1047544891632259145/1047971566543179936/2dode8002[.]vbs
hxxps://cdn.discordapp.com/attachments/1047543449777344516/1047971253056708729/2dode8002[.]txt
135d1da64932e6f858f7136f8c2b339f
We published a blog #post about #Lazarus. They are still abusing fake cryptocurrency applications but we also identified #maldoc with #macro (an inception of macros). The purpose is to deploy #AppleJeus variants.
From #reverse point of view, they implemented an uncommon side-loading technique. The malicious DLL is not directly loaded by the IAT of a legit binary, but via a legitimate DLL from the System32 repository. More details on the @volexity blog : https://www.volexity.com/blog/2022/12/01/buyer-beware-fake-cryptocurrency-applications-serving-as-front-for-applejeus-malware/
#CTI #threatintel #threatintelligence
Emotet coming in hot - Emotet is a ubiquitous and well-known banking trojan that has evolved over the yea... https://blog.talosintelligence.com/emotet-coming-in-hot/ #threatspotlight #crimeware #topstory #securex #emotet #botnet #maldoc
New campaign uses government, union-themed lures to deliver Cobalt Strike beacons - By Chetan Raghuprasad and Vanja Svajcer. Cisco Talos discovered a malicious campai... http://blog.talosintelligence.com/2022/09/new-campaign-uses-government-union.html #informationstealers #cobaltstrike #securex #threats #maldoc
Transparent Tribe campaign uses new bespoke malware to target Indian government officials - By Asheer Malhotra and Justin Thattil with contributions from Kendall McKay.
Cisco Talos... http://blog.talosintelligence.com/2022/03/transparent-tribe-new-campaign.html #crimsonrat #malware #securex #maldoc #apt #rat
Iranian linked conglomerate MuddyWater comprised of regionally focused subgroups - By Asheer Malhotra, Vitor Ventura and Arnaud Zobec.
Cisco Talos has observed new cyber a... http://blog.talosintelligence.com/2022/03/iranian-supergroup-muddywater.html #muddywater #securex #maldoc #turkey #iran #apt #rat
