Malicious MS Office files are spreading Gorloted malware
SonicWall CaptureLabs Threats Research Team identified a new wave of malicious Office files being distributed via phishing emails which are downloading malware belonging to Gorloted Family. We are observing MS-Excel, MS-Word and RTF files are used to spread the malware. VBA Macro code is used to download and execute the Golroted sample.
URL from where the malware is downloaded is stored in the file in an encrypted form which is decrypted by the macro. In MS-Word file, encrypted data is stored as ActiveDocument variable whereas in MS-Excel file, encrypted data stored in one of the Cells above 100 as shown below:
Malicious Document file has an embedded image and will appear as shown below:
To evade detection and deceive userRTF file which carries one or more malicious MS-Excel files is also used to spread this malware. The RTF file will look as shown below:
Some clean macro code has also been added to the malicious macro as shown below which could confuse a researcher.
SonicWall Capture Labs provides protection against this threat via the following signatures:
- GAV: MalOffice.G1 (Trojan)
- GAV: MalOffice.G2 (Trojan)
- GAV: MalOffice.G3 (Trojan)
- GAV: MalOffice.G4 (Trojan)
- GAV: MalOffice.G5 (Trojan)
- GAV: MalOffice.G6 (Trojan)
This threat is detected pro-actively by Capture ATP w/RTDMI.
Indicators Of Compromise:
Presence of following hash:
Network traffic to following URLs: