Do you know what questions to ask when you're looking for an IT firm? We're here to help. Get the free guide delivered right to your inbox:
Some time ago, researchers discovered an interesting campaign distributing malicious documents. Which used the download chain as well as legitimate payload hosting services. The payloads are hidden in an encrypted data file. The sites that offer this service are written in Spanish, but the document is simple to understand.
The goal of this campaign was to distribute a malicious insertion tool. This interactive program can be used for various purposes like automatically decrypted Microsoft Office documents, sabotaging websites through DDoS attacks, and can even be used to steal money from online bank accounts.
This campaign has been active for a long time, and it finally gained some international attention. It is commonly known as Tandem Espionage.
PacketFlyer analyzed this campaign in detail by analyzing the malicious documents, the websites used to host them, and even some of the malicious programs used to steal credentials for online banking. By using our unique research methods and methods to know where malware distribution is happening, we were able to identify this campaign.
The proof of concept (PoC) in this campaign uses a decryption tool that preys on the vulnerability of Microsoft Office 2007, which will run automatically and will spread the malicious program to other computers after completing the decryption process.
The main distribution method used in this campaign is very simple. First, an Excel document is distributed to lure users into opening it and visiting a website hosting malware. The malicious code will only execute if the Windows Version is Windows 7 or later and Office Version is Office 2010 or later.
Here's how it works: First, it loads and displays an error message with a link that leads to a Spanish-language website called 'docsdistribution' (https://docsdistribution [.] com/).that this campaign has been active is in the experience of many Security professionals over the world who have reported this issue to Microsoft Security Response Center (MSRC). Last year, Microsoft Security Response Center (MSRC) received over 7,000 submissions from around the world for this campaign. We have received about 50 of those submissions from our platform in the last week. When you click on this link, a fake update page will be displayed. This page is also served from a domain called. This domain was registered as recently as this week. It also contains fake statements about the status of the update for your computer. This page will let you download a fake Microsoft update. It will silently install a program called "DocShow" that helps steal your Microsoft Office 2010 or 2013 documents and send them back to the attacker, who then opens and decrypts them.