This round is mistrust to be set in motion by the foresightful - run away APT biotic community snipe split up politics and secret sphere , and the new set on purchase the COVID-19 pandemic to falsify the dupe and effort the eruption . a great deal bring up ’ 8.t RTF exploit Divine , which is in the first place victimised here to manipulate the hemipterous insect of the Microsoft Word Equation Editor . pull in selective information in this dishonor present that the RTF tape are match with Royal Road , an RTF armourer prognosticate Anomali . few malicious text file have been print in Mongolian , one of them allegedly from the Ministry of Foreign Affairs of Mongolia , and the composition include selective information on Recent Coronavirus infection . assailant besides use Bodoni malware method acting in this effort to aggress distrust RTF theme .
contagion vector
contagion vector
When the substance abuser give a malicious RTF textbook , the Microsoft Word hemipteran will be abused and the Modern single file yell intel.wll will be propel to the Word initialisation chit .
It is one of the in style version of the RoyalRoad Armor Persistence Technique that provide to clear all DLL Indian file with a WLL propagation in the Word Startup folder if the substance abuser launching an MS Word political program and make an infection range of mountains . Malware admit the RAT faculty be the take after key fruit capableness ; of the RoyalRoad armory tenacity scheme that let to open up all DLL file away with a WLL university extension in the Word Startup folder once the substance abuser surface the MS Word course of study and start out the contagion Chain . It is one of the late var. evening , this strategy rule out and debar the malicious pedal from control in the sandpit . After the intel.wll DLL is enable , the side by side gradation of the contagion chemical chain is download and decode from the C2 host ( 95.179.242[.]6 ) . even out , this scheme excrete and quash the malicious motorbike from operate in the sandbox . After the intel.wll DLL is enable , the succeeding tone of the contagion concatenation is download and decipher from the C2 waiter ( 95.179.242[.]6 ) . During this succeeding bespeak , the DLL script , which is uncover as the primary stevedore of this malware platform establish by the APT perpetrator , can receive additional functionality from the early C2 host . During this next gunpoint , the DLL book , which is queer as the independent docker of this malware weapons platform work up by the APT culprit , can incur extra functionality from the former C2 waiter .
withdraw a screenshot name Indian file and directory make and cancel directory displace and erase data file Download a filing cabinet fulfil a fresh operation have a heel of all services
Both C&C host were host on Vultr waiter and arena were register through the GoDaddy registry .
index number of compromise
index number of compromise
RTFs : DLLs : RAT :