Antihack Blog

Web Site for a Bangladesh Embassy Compromised with Malicious Docs

26 Mar 2019

The web site for the Bangladeshi Embassy in Cairo has been compromised so that it distributes malicious Word documents, which install malware downloaders onto an infected computer.

In a report released today, researchers from Trustwave explain how their Trustwave Cloud SWG product detected that the Bangladesh embassy site had been infected with a coinminer in October 2018. A few months later in January 2019, this same site started pushing a malicious Word document whenever a user visited the site.

When examining the site, the researchers noticed that the site had been compromised so that when you visit any html page, it would force download a malicious Word document called Conference_Details.docx.

After analysis, Trustwave determined that the Word document included the EPS, or Encapsulated PostScript, CVE-2017-0261 vulnerability, which allows for remote code execution on the affected computer.  You can see this vulnerability being exploited below after the Word document is opened.

When finished, malware will have been installed in the C:\ProgramData\Microsoft\Windows\DRM folder as seen below. VirusTotal detects the MSBuld.exe file as a password-stealing Trojan, but Trustwave states that this is Godzilla Loader.

Once Godzilla Loader is launched, it will connect back to its Command & Control server and download other malware.

Unfortunately, the domain owners never responded to Trustwave's emails and the site continues to be compromised to this day.

It is important to note that you should never open a document, or other file, that is automatically downloaded when you visit a web site. Instead, you should leave the site and delete any file that was downloaded so that you do not open it by mistake in the future.

Source: Bleeping Computer

Share this link: