| by Cows

Analyzing malicious links in Microsoft Office XML

Lately I have found myself analyzing a lot of malicious Microsoft Office documents, specifically focusing on those that exploit CVE-2019-0199 using remote Document Template (.dot) files referenced in XML elements. See my previous post regarding Gamaredon activity for further details. This technique allows the first stage document to bypass heuristic detection methods that focus on […]

Read More
| by Cows

Gamaredon targets Ukraine using CVE-2017-0199

From September 2019 to November 2019, there has been a significant uptick in Gamaredon attributed activity. A series of Word documents taking advantage of CVE-2017-0199 have been uploaded to VirusTotal, mostly by submitters in Ukraine. The initial dropper documents do not make use of malicious macros or OLE objects, but rather reference external Document Template […]

Read More