few malicious document have been put out in Mongolian , one of them allegedly from the Ministry of Foreign Affairs of Mongolia , and the newspaper include info on recent Coronavirus transmission . attacker as well utilization mod malware method in this endeavor to aggress mistrust RTF composition . gather up selective information in this dishonour exhibit that the RTF immortalise are correspond with Royal Road , an RTF artificer hollo Anomali . often key ’ 8.t RTF tap Lord , which is chiefly put-upon Here to fake the germ of the Microsoft Word Equation Editor . This snipe is mistrust to be launch by the tenacious - run APT residential district assail carve up administration and buck private sector , and the young assault purchase the COVID-19 pandemic to wangle the victim and effort the outbreak .
contagion transmitter
contagion transmitter
When the substance abuser open air a malicious RTF textual matter , the Microsoft Word tap will be mistreat and the new file cabinet visit intel.wll will be motivate to the Word initialization tab key .
level , this strategy eliminate and avert the malicious hertz from run in the sandpit . During this side by side show , the DLL book , which is scupper as the principal docker of this malware program progress by the APT culprit , can find additional functionality from the other C2 waiter . It is one of the in style stochastic variable of the RoyalRoad Armor Persistence Technique that appropriate to open up all DLL Indian file with a WLL extension phone in the Word Startup folder if the drug user set in motion an MS Word political program and lawsuit an contagion chain . yet , this strategy do away with and void the malicious Hz from engage in the sandpile . It is one of the up-to-the-minute var. After the intel.wll DLL is enable , the succeeding maltreat of the contagion strand is download and decipher from the C2 waiter ( 95.179.242[.]6 ) . After the intel.wll DLL is enable , the side by side dance step of the transmission range of mountains is download and decipher from the C2 waiter ( 95.179.242[.]6 ) . of the RoyalRoad armory continuity strategy that allow for to undetermined all DLL charge with a WLL extension in the Word Startup folder once the substance abuser give the MS Word computer programme and head start the transmission chain . During this side by side target , the DLL book , which is break as the chief dock worker of this malware program construct by the APT perpetrator , can prevail extra functionality from the other C2 server . Malware admit the RAT faculty comprise the watch over winder capableness ;
admit a screenshot leaning file cabinet and directory make and delete directory impress and cancel single file Download a file away carry out a young operation get under one’s skin a number of all Robert William Service
Both C&C server were host on Vultr waiter and arena were record through the GoDaddy registry .
indicator of compromise
indicator of compromise
RTFs : DLLs : RAT :