Service to Embed Documents with Malicious Executables for Sale on Cybercrime Forum
July 22, 2021
CloudSEK’s flagship digital risk monitoring platform XVigil discovered a post, on a cybercrime forum, advertising a service allegedly claimed that it can embed documents with any malicious executables. The threat actor claims that the embedded document can bypass Google, Gmail, and Google Drive protection. CloudSEK’s Threat Intelligence Research team is in the process of validating this post. Analysis of the demonstration video indicates exploitation of Microsoft Excel Add-ins extension “.xll”.
The service claims it will enable the buyer to:
Embed malicious executables, such as malware, in any document.
Disseminate phishing emails with malicious documents as attachments.
Establish initial access to the victim machine.
Update anti-virus, prevention and detection endpoints regularly.
Patch all applications and systems.
Backup all data, with one offline backup, periodically.
Avoid downloading suspicious documents.
Don’t enable macros or content of unknown documents.