loader gif

Malicious attachment disguised as top-secret US document leveraged to target organizations in Europe

Malicious attachment disguised as top-secret US document leveraged to target organizations in Europe
  • The campaign is used against several financial service firms and embassies in Europe.
  • The infection process starts with attackers sending phishing emails to the targets.

Security researchers have come across a new attack campaign that leverages a malicious document bearing the logo of the US Department of State. The campaign is used against several financial service firms and embassies in Europe.

The big picture - Discovered by security researchers at Check Point, the attack campaign involves the use of a malicious document disguised as a top secret document and a trojanized TeamViewer. This enables the attackers to gain complete control of infected systems.

How does the infection process begin - The infection process starts with attackers sending phishing emails to the targets. These phishing emails which is sent under the subject ‘Military Financing program’, contains an XLSM attachment. In order to trick the victims, the XLSM doc bears the logo of the US Department of State and goes by the title ‘Military Financing.xslm’.

“The well-crafted document bears the logo of the U.S Department of State and is marked as Top Secret. Although the attackers have worked hard to make the document appear convincing, they seem to have overlooked some Cyrillic artifacts (such as the Workbook name) that were left in the document, and could potentially reveal more information about the source of this attack,” Check Point researchers noted.

What is the use of the malicious XLSM document - Once the victims open the XLSM document, it unleashes macros that extract two new files:

  • A legitimate AutoHotkeyU32.exe program and;
  • AutoHotkeyU32.ahk which is used to download additional AKH script URLs from the attacker’s C2 sever.

One of the AHK scripts downloads a malicious version of TeamViewer named TV.DLL. Once the TV.DLL is loaded via DLL side-loading technique, it allows the attackers to steal login credentials.

Going by the activity and targets, researchers claim that the attackers behind the campaign are financially motivated.

loader gif