Malspam activity was observed on November 28th delivery a variant of Slingup backdoor. In this blog post, we will go over the network activity in RSA NetWitness Packets.
The embedded obfuscated VBA code launches upon opening the document:
The VBA code launches powershell to download an executable from a delivery domain:
When the malware runs on the infected system, it looks to be reaching out to the delivery domain to download more plugins. While the filename varies from one GET request to another, the directory remains the same /Panel/plugins/:
The server responds with obfuscated payloads as shown below:
- purchase order.doc (SHA256):
- loader.exe (SHA256):