OfflRouter virus causes Ukrainian users to upload confidential documents to VirusTotal

During a threat-hunting exercise, Cisco Talos discovered documents with potentially confidential information originating from Ukraine. The documents contained malicious VBA code, indicating they may be used as lures to infect organizations. The results of the investigation have shown that the...

Malicious campaigns target government, military and civilian entities in Ukraine, Poland

Cisco Talos has discovered a threat actor conducting several campaigns against government entities, military organizations and civilian users in Ukraine and Poland. We judge that these operations are very likely aimed at stealing information and gaining persistent remote access. The activity we...

Andariel’s silly mistakes and a new malware family

Introduction Andariel, a part of the notorious Lazarus group, is known for its use of the DTrack malware and Maui ransomware in mid-2022. During the same period, Andariel also actively exploited the Log4j vulnerability as reported by Talos and Ahnlab. Their campaign introduced several new malware...

What’s with the shared VBA code between Transparent Tribe and other threat actors?

By Vanja Svajcer and Vitor Ventura. Recently, we've been researching several threat actors operating in South Asia: Transparent Tribe, SideCopy, etc., that deploy a range of remote access trojans RATs. After a hunting session in our malware sample repositories and VirusTotal while looking into...

Purgalicious VBA: Macro Obfuscation With VBA Purging

Malicious Office documents remain a favorite technique for every type of threat actor, from red teamers to FIN groups to APTs. In this blog post, we will discuss "VBA Purging", a technique we have increasingly observed in the wild and that was first publicly documented by Didier Stevens in Februa...

Description of the Microsoft Office for Mac 2011 14.3.2 Update

Describes the security update for Microsoft Office for Mac 2011 14.3.2, that was released on March12, 2013.IntroductionMicrosoft has released security bulletin MS13-026. This security bulletin contains all the relevant information about the security update for Microsoft Office for Mac 2011. To vi...

TAU Threat Intelligence Notification: Operation SharpShooter

Operation Sharpshooter, leverages an embedded shellcode as an in-memory implant to download and retrieve a second-stage implant, which is known as Rising Sun. Rising Sun uses source code from the Duuzer backdoor that has been used in a past campaign of Lazarus group. This newly discovered campaig...

TAU Threat Intelligence Notification: DarkHydrus/RogueRobin

Recently, Palo Alto Unit 42 released an updated report regarding new DarkHydrus delivery documents, which includes the installation of an updated variant of the RogueRobin trojan. This document includes details on both DarkHydrus and RogueRobin, along with detection rules and search queries that...

Vba2Graph - Generate Call Graphs From VBA Code, For Easier Analysis Of Malicious Documents

A tool for security researchers, who waste their time analyzing malicious Office macros. Generates a VBA call graph, with potential malicious keywords highlighted. Allows for quick analysis of malicous macros, and easy understanding of the execution flow. @MalwareCantFly Features Keyword...

wePWNise - Generates Architecture Independent VBA Code To Be Used In Office Documents Or Templates And Automates Bypassing Application Control And Exploit Mitigation Software

wePWNise is proof-of-concept Python script which generates VBA code that can be used in Office macros or templates. It was designed with automation and integration in mind, targeting locked down environment scenarios. The tool enumerates Software Restriction Policies SRPs and EMET mitigations and...

Olympic Destroyer Returns to Target Biochemical Labs

Olympic Destroyer, the threat actor that caused a crippling sabotage attack on the networks supporting this year’s Winter Games in Pyeongchang, South Korea, has resurfaced with a spy campaign – and with a wider target range. The new campaign began last month and is ongoing, employing spear-phishi...

Malware analysis: decoding Emotet, part 1

Emotet Banking Trojan malware has been around for quite some time now. As such, infosec researchers have made several attempts to develop tools to de-obfuscate and even decrypt the AES-encrypted code belonging to this malware. The problem with these tools is that they target active versions of th...

MS Office Built-In Feature Could be Exploited to Create Self-Replicating Malware

Earlier this month a cybersecurity researcher shared details of a security loophole with The Hacker News that affects all versions of Microsoft Office, allowing malicious actors to create and spread macro-based self-replicating malware. Macro-based self-replicating malware, which basically allows...

EUVD-2012-1671

ESRI ArcMap 9 and ArcGIS 10.0.2.3200 and earlier does not properly prompt users before executing embedded VBA macros, which allows user-assisted remote attackers to execute arbitrary VBA code via a crafted map .mxd file...

ClamAV antivirus double free vulnerability

Double free vuonerability on microsoft office documents VBA code parsing...

IE 5.01 will execute VBA code contained in Access databases when triggered from HTML code contained in an IFRAME

Overview Under certain conditions, Internet Explorer can open Microsoft Access database or project files containing malicious code and execute the code without giving a user prior warning. Access files that are referenced by OBJECT tags in HTML documents can allow attackers to execute arbitrary...

access.vba.txt

Microsoft Access Trojan VBA code: The overlooked "macro virus" -- Brief Summary: Microsoft Access Databases are not afforded "Macro execution protection" in the manner of Word/Excel/Powerpoint documents. Attackers can insert trojan VBA code into MS Access documents to execute arbitrary commands o...