← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
Threat Group APT28 Slips Office Malware into Doc Citing NYC Terror Attack
During our monitoring of activities around the APT28 threat group, McAfee Advanced Threat Research analysts identified a malicious Word document that appears to leverage the Microsoft Office Dynamic Data Exchange (DDE) technique that has been previously reported by Advanced Threat Research. This document likely marks the first observed use of this technique by APT28. The use of DDE with PowerShell allows an attacker to execute arbitrary code on a victim’s system regardless whether macros are enabled. (McAfee product detection is covered in the Indicators of Compromise section at the end of the document.)
APT28 has recently focused on using different themes. In this case it capitalized on the recent terrorist attack in New York City. The document itself is blank. Once opened, the document contacts a control server to drop the first stage of the malware, Seduploader, onto a victim’s system.
Indicators of Compromise (11)
| TYPE | INDICATOR | DESCRIPTION | CREATED | |
|---|---|---|---|---|
| domain | satellitedeluxpanorama.com | — | 2017-11-07 | |
| domain | webviewres.net | — | 2017-11-07 | |
| URL | http://netmediaresources.com/config.txt | — | 2017-11-07 | |
| URL | http://netmediaresources.com/media/resource/vms.dll | — | 2017-11-07 | |
| URL | http://sendmevideo.org/SaberGuardian2017.docx | — | 2017-11-07 | |
| URL | http://sendmevideo.org/dh2025e/eh.dll | — | 2017-11-07 | |
| FileHash-SHA1 | 1c6c700ceebfbe799e115582665105caa03c5c9e | — | 2017-11-07 | |
| FileHash-SHA1 | 4bc722a9b0492a50bd86a1341f02c74c0d773db7 | — | 2017-11-07 | |
| FileHash-SHA1 | 68c2809560c7623d2307d8797691abf3eafe319a | — | 2017-11-07 | |
| FileHash-SHA1 | 8a68f26d01372114f660e32ac4c9117e5d0577f1 | — | 2017-11-07 | |
| FileHash-SHA1 | ab354807e687993fbeb1b325eb6e4ab38d428a1e | — | 2017-11-07 |