There is no malicious code with attachment itself instead of it download file over SMB connection and steals user credentials silently, also it will download some other malicious payloads to infect victim’s computer.
They came through various DOCX samples which were delivered as attachments in malicious spam emails.If the victim opens the attachment the document will try to pull down a template and there is a connection over port 80 and with port 445 they captured a handshake failure.
As per their initial analysis, malicious SMB server was used to harvest the victim’s credentials and the connection to external server established over SMB.
Later they confirmed with another related sample with another external server listening on Port 80 but No Templates served.
They research further with the entity relationship ID rId133 that found in word/_rels/settings.xml.rels and reached to GitHub page of a phishing tool named Phishery.
They found the same rID in the Phishery source, but Phishery doesn’t rely on SMB, instead, it handles connection over HTTPS.You can refer Talos for Technical analysis.
Talos said “At this time, there is no evidence to confirm any of the three possibilities. However, the attackers’ reliance on a successful SMB session stemming from outbound traffic over TCP 445 further confirms that organizations are still failing to properly block such egress traffic to public hosts.”
Common Defence’s to stay safe
- Don’t open the attachments that you are not expecting.
- Patch or Update your software.
- Use a reputable security suite.
- Disconnect Internet connection immediately.