Tag Archives: Microsoft Word

GravityRAT Malware

For the past 18 months, Cisco Talos researchers said they have been tracking GravityRAT with the latest “G2” version spotted sa few weeks ago. The location of the developers, known as “The Invincible” and “TheMartian,” are unknown. However, researchers said documents used to test anti-virus detection via VirusTotal were submitted from Pakistan.

The malware dates back December 2016 with early samples given the version name G1 and later G2. The latest GravityRAT, published in December 2017, is GX.

GravityRAT’s infection vector is typical you need to click on a Word .Docx email attachment and enable macros. By doing so, email recipients are shown a “Protected Document” that prompts targets to “prove that the user is not a robot” (similar to a CAPTCHA). Doing so triggers the infection sequence.

In August 2017, the Indian National CERT published an advisory about malicious targeted campaigns that  referencing the command-and-control server infrastructure of what Talos later came to identify as GravityRAT.

C2 Servers

hxxp://cone[.]msoftupdates.com:46769
hxxp://ctwo[.]msoftupdates.com:46769
hxxp://cthree[.]msoftupdates.com:46769
hxxp://eone[.]msoftupdates.eu:46769
hxxp://etwo[.]msoftupdates.eu:46769
hxxp://msupdates[.]mylogisoft.com:46769
hxxp://coreupdate[.]msoftupdates.com:46769
hxxp://updateserver[.]msoftupdates.eu:46769

msoftupdates[.]com
msoftupdates[.]eu
mylogisoft[.]com




Agent Tesla Spyware

Agent Tesla is a .NET-based spyware. It has gone through numerous updates to add extra functionality and is commonly seen being sold on dark net sites.

It is delivered via malicious Microsoft Word documents distributed in spam or phishing campaigns. Once opened these documents ask the user to enable macros, at which point the infection process is initiated.

It then collects keystrokes, screenshots and clipboard files. It will also attempt to gather passwords and credentials from a number of applications. This information is then sent to a command and control server.

A detailed report on this can be found here.

Affected Platforms

Microsoft Windows – All versions




Loda Information Stealer Trojan

Loda is a trojan with information stealing, credential harvesting and remote execution capabilities.

Loda is distributed via spam or phishing emails containing Microsoft Word documents containing malicious macros, executables or embedded Packager objects. Opening these causes Loda to download and install. One this is completed it connects to a command and control server and reports the following information on the device and user.

Loda can perform several functions once a device has been compromised including downloading and uploading files, keylogging, force reboots, execute processes and open chat windows.

Affected Platforms

Microsoft Windows – All versions




Microsoft Word File Processing Flaw Lets Remote Users Execute Arbitrary Code

Microsoft Word Version(s): 2007 SP3, 2010 SP2, 2013 SP1, 2013 RT SP1, 2016; Office Word Viewer

Description:   A vulnerability was reported in Microsoft Word. A remote user can cause arbitrary code to be executed on the target user’s system.

A remote user can create a specially crafted file that, when loaded by the target user via Microsoft Office, will trigger an object memory handling error and execute arbitrary code on the target system. The code will run with the privileges of the target user.

Yang Kang, Ding Maoyin, and Song Shenlei of Qihoo 360 Core Security (@360CoreSec) reported this vulnerability.

Impact:   A remote user can create content that, when loaded by the target user, will execute arbitrary code on the target user’s system.

Solution:   The vendor has issued a fix.

The Microsoft advisories are available at:

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11826

Vendor URL:  portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11826

CVE Reference:   CVE-2017-11826