Security News > 2022 > January > OceanLotus hackers turn to web archive files to deploy backdoors
The OceanLotus group of state-sponsored hackers are now using the web archive file format to deploy backdoors to compromised systems.
A report from Netskope Threat Labs shared with Bleeping Computer in advance notes that OceanLotus' campaign using web archive files is still active, although the targeting scope is narrow and despite the command and control server being disrupted.
The attack chain starts with a RAR compression of a 35-65MB large web archive file containing a malicious Word document.
When opening the web archive file with Microsoft Word, the infected document prompts the victim to "Enable Content", which opens the way to executing malicious VBA macro code.
After the payload is executed, the VBA code deletes the original Word file and opens the decoy document which serves the victim a bogus error.
The malware collects network adapter information, computer name, username, enumerates system directories and files, checks the list of running processes.
News URL
Related news
- Salt Typhoon hackers backdoor telcos with new GhostSpider malware (source)
- RomCom hackers chained Firefox and Windows zero-days to deliver backdoor (source)
- Hackers exploit ProjectSend flaw to backdoor exposed servers (source)
- What It Costs to Hire a Hacker on the Dark Web (source)
- Hackers Target Uyghurs and Tibetans with MOONSHINE Exploit and DarkNimbus Backdoor (source)
- Winnti hackers target other threat actors with new Glutton PHP backdoor (source)
- Hackers Use Microsoft MSC Files to Deploy Obfuscated Backdoor in Pakistan Attacks (source)