Deploying Backdoors in Windows via Word Docs
These malicious actors have been tricking victims into clicking through phishing emails that contain ransomware and even banking trojans- by sending email alerts that require immediate action, like emails from the German Federal Ministry of Finance, United States Postal Service, law enforcement and finance firms. But, what's happening behind the curtains is them deploying ransomware in your windows via a word document, that opens when you open the attachment.
Proofpoint researchers have been observing these impersonators from October 16 until November 12, 2019, their collected data gave a clear sight of the attacker's target, how they operate by sending spams to companies, IT units from Germany, Italy, and United States. “Researchers also Observed a consistent set of TTP (Tactics, Techniques, and Procedures) that allows attribution of these campaigns to a single actor with high confidence. These include the use of .icu domains, as well as identical email addresses for the Start of Authority (SOA) resource records stored for the DNS entries for the domains used in these campaigns”, Proof point said.
Among the samples, the emails contained attached weaponized word documents which when opened, made the system perform a series of commands- that is turning on PowerShell script, which eventually downloads and installs the Maze ransomware. In targets related to Healthcare Vertical and companies, the emails and word documents installed IcedID payload trojan into the system.