Tuesday, September 27, 2016

New Macro Variant

On 06 September 2016, Wapack Labs received incident details involving a macro malware variant, that is researcher aware, and is leveraging a new method of string obfuscation.  Macro based malware, one of the most prevalent malware delivery mechanisms, uses embedded macros in Microsoft Office documents to download and install malware on a victim’s machine.  Over 3,600 additional samples of this variant, using the same obfuscation method, were found on Virus Total.  Artifacts from these files suggest widespread targeting in various industries.

This report includes details on the new macro variant delivery mechanism and infrastructure leveraged in these attacks.

Publication date:                   26 September 2016

Handling requirements:         Traffic light protocol (TLP) AMBER

Actor Type:                            Adversary capabilities have been assessed as Tier 1*

Past Reporting:                       Red Sky Alliance: DOC-3977

Indicators:                https://www.threatrecon.co/search?keyword=New_Macro_Variant,                                  redsky.soltra.com

*Practitioners who rely on others to develop the malicious code, delivery mechanisms, and execution strategy (use known exploits). 

The full attribution report has been published in its entirety in the Red Sky Alliance portal.  For more information please contact the lab directly at 844-4-WAPACK, 603-606-1246, or feedback@wapacklabs.com.

About Wapack Labs

Wapack Labs, located in New Boston, NH is a Cyber Threat Analysis and Intelligence organization supporting the Red Sky Alliance, the FS-ISAC and individual organizations by offering expert level targeted intelligence analysis answering some of the hardest questions in Cyber.  Wapack Labs’ engineers, researchers and analysts use deep analysis techniques and visualization to design and deliver transformational cyber-security analysis tools that fuse open source and proprietary information.  The intelligence derived from these tools and techniques serve as the foundation of Wapack Labs’ information reporting to the cyber-security teams of its customers and industry partners located around the world.