Wednesday, October 14, 2015

Update to Trojan Fareit IIV



The sample (First stage word macro) is detected by McAfee as Bartallex

Googled it and found a McAfee blog entry dated March 2015:

Reference: https://blogs.mcafee.com/mcafee-labs/bartallex-renews-strain-of-macro-malware


Reference:https://blogs.mcafee.com/mcafee-labs/bartallex-renews-strain-of-macro-malware/

Reference:https://blogs.mcafee.com/mcafee-labs/bartallex-renews-strain-of-macro-malware/

The chain shows the .bat and .vbs bit in the infection kill chain.


As per the Mcafee blog, "the macro clears its contents in the word document after the macro is enabled".

So I realize the purpose of the last function in the vb macro, which I considered irrelevant initially:

This is the deleting its contents part as mentioned in the Mcafee blog






No comments:

Post a Comment