EXECUTIVE SUMMARY
This campaign uses a phishing email with a request for quotation theme to trick users into opening attached documents that appear related to business deals. The message is designed to look normal and targets roles that usually handle such requests, so it does not raise suspicion. The attached files look real but contain hidden content that starts a multi-step infection process. The same document structure is reused across samples which shows a repeated method. The attack chain is divided into multiple stages where each stage loads another component instead of delivering everything at once. This helps the attack avoid early detection. It also uses common file types and tools such as document files scripts and command tools so activity blends with normal system use.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY
This campaign uses a phishing email with a request for quotation theme to trick users into opening attached documents that appear related to business deals. The message is designed to look normal and targets roles that usually handle such requests, so it does not raise suspicion. The attached files look real but contain hidden content that starts a multi-step infection process. The same document structure is reused across samples which shows a repeated method. The attack chain is divided into multiple stages where each stage loads another component instead of delivering everything at once. This helps the attack avoid early detection. It also uses common file types and tools such as document files scripts and command tools so activity blends with normal system use.[emaillocker id="1283"]
The infection starts with a document that includes hidden content which is not visible to the user. This content carries encoded data that extracts and runs a script. The script removes extra characters to rebuild its real code and then runs system commands to continue the attack. It launches a command process that runs encoded instructions and avoids security checks by bypassing scanning steps. The script then connects to an external source and downloads a compressed file using a trusted file sharing service. Inside the file there is a full runtime setup along with scripts and an encrypted payload. The next stage uses multiple decoding steps such as base64 and other transformations to reveal the hidden payload. The payload is then decrypted and loaded directly into memory instead of being saved on disk. This makes detection harder as there is no clear file left behind. The same keys and patterns are reused across samples.
The campaign shows a strong use of staged execution and trusted tools to reduce detection and blend with normal activity. By spreading the attack across multiple steps and using built in system tools it avoids drawing attention. The use of memory-based loading also limits visible traces on the system. At the same time the campaign has some weak points due to repeated patterns across different samples. Reuse of keys similar file structures and common behavior allows linking of related samples and helps in detection. The use of public file sharing sources also creates a chance to track and block activity. Overall, the attack is effective in hiding its steps, but the repeated design makes it easier to identify once analyzed.
THREAT PROFILE:
| Tactic | Technique ID | Technique | Sub-Technique |
| Initial Access | T1566.001 | Phishing | Spearphishing Attachment |
| Execution | T1204.002 | User Execution | Malicious File |
| T1059.007 | Command and Scripting Interpreter | JavaScript | |
| T1059.001 | Command and Scripting Interpreter | PowerShell | |
| T1059.006 | Command and Scripting Interpreter | Python | |
| T1218 | System Binary Proxy Execution | — | |
| Persistence | T1547.001 | Boot or Logon Autostart Execution | Registry Run Keys / Startup Folder |
| Defense Evasion | T1027 | Obfuscated Files or Information | — |
| T1036 | Masquerading | — | |
| T1620 | Reflective Code Loading | — | |
| T1140 | Deobfuscate/Decode Files or Information | — | |
| Command and Control | T1071.001 | Application Layer Protocol | Web Protocols |
| T1105 | Ingress Tool Transfer | — |
MBC MAPPING:
| Objective | Behaviour ID | Behaviour |
| Initial Access | B0021 | Send Poisoned Text Message |
| Defense Evasion | F0005 | Hidden Files and Directories |
| E1027 | Obfuscated Files or Information | |
| E1055 | Process Injection | |
| B0013 | Analysis Tool Discovery | |
| Execution | E1059 | Command and Scripting Interpreter |
| Command and Control | B0030 | C2 Communication |
| C0002 | HTTP Communication |
REFERENCES:
The following reports contain further technical details:
[/emaillocker]