MalwareParty

Operation JOKAA(RR) #molerats #gazacybergang #apt #malware #infosec mymalwareparty.blogspot.com/2018/11/operat…

Word add-in persistence Sample uses the CVE-2017-11882 %temp% dropper method to %APPDATA%\Microsoft\word\startup\w.wll @blu3_team @ImPureMotion mymalwareparty.blogspot.com/2018/01/word-a…

@buffaloverflow @blu3_team @ImPureMotion @HaifeiLi @edeca Thank you for the link

Starting to work on another blog post for this activity

@securitydoggo @blu3_team @ImPureMotion You already found one earlier :) This is from their earlier tests: twitter.com/securitydoggo/…

Thanks to these folks who helped find these and are always encouraging! @securitydoggo @James_inthe_box @_jsoo_

The decoded portion of the CVE-2017-11882 is "cmd /c start %TEMP%\jjjjjjjjjjjjjjjjjjj.j" which runs the executable and shows a messagebox with the word "Hacked".

Example: 5c68c0a32a8c59271afe3456430125f77b02b240fe578da6b7f398656f6cf972 This is an early test using a small executable named "jjjjjjjjjjjjjjjjjjj.j".

@blu3_team @ImPureMotion How it works Apparently embedded objects get stored in %temp% while the document is open and they use the original name. That gives us a method of "dropping" a known file to a known location. CVE-2017-11882 gives us a method of executing it.

We have recently found samples in the wild using a new method involving CVE-11882 that effectively makes it a dropper. Apologies if someone has already put this out but we haven't seen it and believe it is important. @blu3_team @ImPureMotion

First blog post... taking a stab at it, had some fun with the logo mymalwareparty.blogspot.com/2017/07/operat… #malware #molerats #infosec #cybersecurity