During the last couple weeks of the year the infosec industry was abuzz about methods for both building and using malicious Microsoft Office documents. Utilizing another staple of the office world, a phishing campaign stores its RAT payloads on a Google Cloud Storage domain. Also noteworthy is some interesting research that connects the TTPs of cryptominers and malware families.

For more articles, check out our #onpatrol4malware blog.

malicious Microsoft Office documents

Analysis of the latest Emotet propagation campaign

Source: ESET

In November, we issued warnings about a huge new spam campaign which was being used to propagate Emotet. On this occasion though, the implementation is a little unusual, consisting of a downloader incorporated into an Office file. Read more.

malicious Microsoft Office documents

Ransomware suspected in cyberattack that crippled major US newspapers

Source: ZDNet

The Ryuk ransomware strain is the primary suspect in a cyberattack that caused printing and delivery disruptions for several major US newspapers over the weekend. All Tribune Publishing newspapers were impacted to some degree by the cyber-attack. Read more.

malicious Microsoft Office documents

Cybercriminals Use Malicious Memes that Communicate with Malware

Source: Trend Micro

The malware authors have posted two tweets featuring malicious memes on October 25 and 26 via a Twitter account created in 2017. Twitter has already taken the account offline as of December 13, 2018. Read more.

malicious Microsoft Office documents

What are Deep Neural Networks Learning About Malware?

Source: FireEye

An increasing number of modern antivirus solutions rely on machine learning (ML) techniques to protect users from malware. Can we take advantage of these advances in deep learning to automatically learn how to detect malware without costly feature engineering? Read more.


Connecting the dots between recently active cryptominers

Source: Cisco TALOS

Through Cisco Talos’ investigation of illicit cryptocurrency mining campaigns in the past year, we began to notice that many of these campaigns shared remarkably similar TTPs. Read more.

malicious Microsoft Office documents

LCG Kit: Sophisticated builder for Malicious Microsoft Office Documents

Source: proofpoint

Proofpoint researchers discovered “LCG Kit,” a weaponized document builder service, in March 2018. Since we began tracking LCG Kit, we have observed it using the Microsoft Equation Editor CVE-2017-11882 [1] exploit in various forms. Read more.

malicious Microsoft Office documents

URSNIF, EMOTET, DRIDEX and BitPaymer Gangs Linked by a Similar Loader

Source: Trend Micro

We discovered a connection between EMOTET, URSNIF, DRIDEX and BitPaymer from open source information and the loaders of the samples we had, functioning as if tasks were divided among different developers and operators. Read more.

malicious Microsoft Office documents

Phishing campaign targets finance employees with RATs downloaded from Google Cloud Storage

Source: SC Media

A recently discovered phishing campaign has been targeting financial sector employees in the U.S. and UK with remote access trojan payloads stored on a Google Cloud Storage domain. Read more.