Recently, Telsy TRT detected a wave of malicious documents trying to impersonate an official institution of a government of Middle-East. Moreover, the website of another government institution of the same country appears to have been compromised in order to spread a dot NET malicious payload. To protect these gov entities, we don’t want for now to share too many details about, but we will integrate this post when the incident response operations from their side will be completed. In consideration of a moderate level of diffusion of the collected malicious payloads as well as limited global requests for DNS resolution of the domain name identified as CnC, we assert that […]
Recently, a new wave of malicious decoy Microsoft Office documents addressed exclusively to a central country of the european geographical area was intercepted by Telsy TRT. These have been collected while landing on a media sector company. Observed TTPs did not lead to any known threat actor and initially we were imagining that a new group was coming out of the shadow… Who was operating behind this campaign seemed to use different infection methods to reach the execution of its 1st stage payload, including the adoption of the “EvilClippy” tool, released during a BlackHat Asia talk (March 28, 2019). However, after some time, we gathered evidence that led us to […]
In last days of March, Telsy TRT captured same malicious macro armed documents likely tergeting ASEAN affairs and meeting members. Telemetry and spreading statistics related to these decoy documents highlight their diffusion in the geographical area of Thailand. According with OSINT information, the 34th ASEAN Meeting will be held in Bangkok, Thailand, on June 2019. These malicious documents have been designed to induce the victims to enable a macro code that will lead to an in-memory payload injection through the use of layered obfuscation techniques. At the time of analysis, the full infection cycle showed a very low detection rate in comparison with the major anti-malware solutions. On the basis […]
This post introduces the blog of the Telsy Threat Recon Team.