In the past few days, a malicious Word document sample, believed to be linked to Iranian state-backed hackers, was shared with our team at CERTFA Lab by a community member.
Upon the initial analysis, we discovered that this sample includes an OLE object and an AutoOpen macro, which read and decode obfuscated text from UserForm1.TextBox1 into ASCII characters, and then converted from base64 to drop a payload onto the victim's system at C:\Users\Public\Document.exe.
Furthermore, the Document.exe payload extracts some victim information such as the computer name, username, and IP address, and sends this data to the attacker's C2 server.
Although groups like MuddyWater generally use macros as attack vectors as well, however at this point, we are uncertain about the specific Iranian threat actors this malware may be associated with, or whether it is part of a new malware campaign. However, evidence indicates that, at least since 13 June 2023, this Trojan has been utilized to target members of the Mojahedin-e-Khalq (MEK) or individuals associated with this organization.
IOCs:
745dbeaae57ae8768e473b156c7d68a1693bb07e2a0afe6edf0c87ec718980b8 5ae404afd79a7473d1f5721e0ada9e7237bb27b502c3e0feb7d423408c945e91 b86501dc2b99b753206b6a59f357a8fe3fef40f1d8624c6839514c1ebfc2b2d1 28d0cfc57904cfa395f9f50a7b7af365b9b0e262e409c237284155b14cdb3803 2a9f8c478aaed11d7ed069de3ce2c9853c759919e50448e20c6f5cedfd2d8413 c84319620eb3a44f47fefacfaa614119f59544ca272d3e0c742dcdb033c7baa8 195.93.173[.]229 194.143.146[.]31 91.228.218[.]136 195.93.173[.]161 news24info[.]pro forsports[.]xyz speedup-pc[.]online booster724[.]online