Security News > 2022 > January > OceanLotus hackers turn to web archive files to deploy backdoors
The OceanLotus group of state-sponsored hackers are now using the web archive file format to deploy backdoors to compromised systems.
A report from Netskope Threat Labs shared with Bleeping Computer in advance notes that OceanLotus' campaign using web archive files is still active, although the targeting scope is narrow and despite the command and control server being disrupted.
The attack chain starts with a RAR compression of a 35-65MB large web archive file containing a malicious Word document.
When opening the web archive file with Microsoft Word, the infected document prompts the victim to "Enable Content", which opens the way to executing malicious VBA macro code.
After the payload is executed, the VBA code deletes the original Word file and opens the decoy document which serves the victim a bogus error.
The malware collects network adapter information, computer name, username, enumerates system directories and files, checks the list of running processes.