18 Jul 2019
Microsoft Security Intelligence has sent out a new set of Tweets outlining an attack strategy that uses a number of Windows toolsets to install a remote access trojan (RAT) malware onto victims’ systems. The malware uses executables, tools, and scripts to avoid detection.
According to KnowBe4, here’s how it works:
The potential victim receives an email written in Korean containing an Excel spreadsheet as an attachment. Once opened, the Excel file runs the MSlexec.com macro which downloads a Microsoft Installer (MSI) file. The MSI file contains a digitally signed executable that decrypts and loads a second executable directly into memory. This second executable downloads another digitally signed file, wsus.exe, which runs and loads the malware “FlawedArmmy RAT” infection.
All of this from a simple click to open a spreadsheet.
This is a prime example of why Security Awareness Training is such a vital part of any cybersecurity strategy. Users who have undergone security awareness training are much less likely to open suspicious emails and attachments. This type of phishing attack would be fairly obvious to trained users.