Spam Campaign Leveraged RTF Documents to Spread Infostealers


A spam compete leveraged malicious RTF documents to distribute notorious infostealers including Spokesman Tesla and Lokibot.

While digging through a few other spam struggles, Lastline observed unusual use of the C# compiler from the command line in some specimens. Its researchers performed additional analysis and found that the samples be a part ofed to the same malicious spam campaign.

Lastline’s telemetry data romped that the campaign had begun in mid-October 2019, peaked on October 17 and then enchanted a three-week break before finally returning.

In total, the security conglomerate tracked 79 unique hashes out of the 138 samples, a fact which shows that many of the samples played an active role only before you can turn around. Some of those samples used generic email subjects, while some leveraged open ti that targeted specific events and organizations. They also off the job dream up a variety of customers, although education organizations in the APAC region were predominantly afflicted.

Researchers at Lastline also decided to analyze one of the campaign’s RTF samples. They start that the document leveraged a social engineering technique to trick the drug into doing what they wanted. As quoted in their probe:

Manually running the decoy RTF document in a VM launches Microsoft Excel, which then over pops up a window… asking for the activation of macros. This is probably an bid to wear down a user’s patience to maximize the activation rate.

Spam Campaign Leveraged RTF Documents to Spread Infostealers
Prompt macro pop-up windows. (Source: Lastline)

In its research, Lastline set up that the payloads employed by the campaign dated back to March 2018. This payload launched as a resilient downloader that used PowerShell. But as time wore on, the payload combined new obfuscation and anti-detection tactics. They also eventually switched from PowerShell to C# in untimely 2019. In particular, the attacks began using the Add-Type cmdlet in their PowerShell payloads to accumulate C# programs. This tactic, in turn, enabled attackers to bypass AMSI-related detection for the intend of downloading additional malware.

The campaign described above highlights the for for organizations to defend themselves against spam campaigns. They can do so by educating their consumers about some of the most common phishing attacks in circulation today.

Leave a Reply

Your email address will not be published. Required fields are marked *