AhnLab Security Emergency response Center (ASEC) has confirmed the distribution of a malicious Word file disguised as a profile template from emails impersonating a certain professor.
‘[Attachment] Profile Template.doc’ is the filename of the password-protected Word file that was discovered, with the password itself being included in the body of the email.
A malicious VBA macro is contained within the Word file, which, upon being activated, connects to a C2 via PowerShell before downloading and executing an additional script.
The type of malware that is ultimately executed is the same as the one identified in Malicious Word Document Being Distributed in Disguise of a News Survey as it collects the information saved on browsers.
However, unlike the previous code which used FTP to leak user credentials, the team has confirmed that the current version is an altered script that uses the GitHub API to transmit the information to a certain repository.
Data gathered from victims are believed to have been uploaded onto this GitHub repository in question.
Additionally, there has recently been a confirmed case of the Red Eyes threat group (also known as APT37, ScarCruft) also using GitHub as their malware distribution site. (Refer to the references below)
As scripts are continuously evolving like the one in this post, users are advised to take extra caution.
Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.