This week the Sonicwall Capture Labs Research team has come across a malicious document template which delivered a remote access Trojan to unsuspecting victims. It guises as a mental health survey which silently drops a RAT in the background.
Infection Cycle:
The file comes as a Microsoft Word template file with a dotm extension. Once opened in word it displays a seemingly benign survey on mental health.
It creates a file in the following directory:
It then executes the aforementioned file which performed malicious behaviors.
It spawns a legitimate application fondue.exe to perform the system reconnaissance.
Such as checking the computer name -
And finding out system languages -
And checks for numerous security settings if available in the system.
There was no network activity observed during the analysis however the Trojan has a hardcoded C&C server its strings.
SonicWall Capture Labs provides protection against this threat via the following signature:
This threat is also detected by SonicWALL Capture ATP w/RTDMI and the Capture Client endpoint solutions.
Share This Article
An Article By
An Article By
Security News
Security News