Last year several Kaspersky customers were targeted with documents which did not appear to be directly malicious; however, they indicated a type of profiling activity. These suspicious documents included a link to a remote picture, which was delivered by a PHP script located on a command and control server. The unusual thing here is that the attacks take advantage of an undocumented feature in Microsoft Word, which makes it beam out to a remote address whenever a document is opened, even in Protected Mode. This presentation describes the undocumented feature, how it works and how to find its indicators in a document. Taking into account the targets, we suspect the activity is related to one of two known threat actors: Turla and CloudAtlas.
by Kaspersky Lab via Endless Supplies .Us - Brands
No comments:
Post a Comment