{"id":17934,"date":"2020-03-17T20:35:46","date_gmt":"2020-03-18T04:35:46","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2020\/03\/17\/news-11667\/"},"modified":"2020-03-17T20:35:46","modified_gmt":"2020-03-18T04:35:46","slug":"news-11667","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2020\/03\/17\/news-11667\/","title":{"rendered":"VB2019 paper: Attribution is in the object: using RTF object dimensions to track APT phishing weaponizers"},"content":{"rendered":"<p>Malicious RTF files, exploiting vulnerabilities in <em>Microsoft Office<\/em>, have long been a popular way to deliver malware, most often through (spear-)phishing attacks. Such files are often created using exploit builders, which were the subject of a <a title=\"VB2018 paper: Office bugs on the rise\" href=\"https:\/\/www.virusbulletin.com\/blog\/2018\/12\/vb2018-paper-office-bugs-rise\/\">VB2018 presentation<\/a> by <em>Sophos<\/em> researcher G\u00e1bor Szappanos.<\/p>\n<p>One such builder (or weaponizer) is \u2018Royal Road\u2019, which has been used by various Chinese APT groups to deliver malware. Royal Road and how the properties of RTF files can be used to track weaponizers and their users were the subject of a VB2019 paper by Michael Raggi (<em>Proofpoint<\/em>) and Ghareeb Saad (<em>Anomali<\/em>).<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" style=\"display: block; margin-left: auto; margin-right: auto;\" src=\"https:\/\/www.virusbulletin.com\/files\/cache\/e15bc6875370441dbd92354dbc60edb9_f4371.png\" alt=\"Figure 1_8.png\" width=\"600\" height=\"495\" \/><span class=\"centered-caption\">Permanence versus operational visibility in RTF attribution techniques.<\/span><\/p>\n<p>Today, we publish the researchers&#8217; paper in both <a title=\"VB2019 paper: Attribution is in the object: using RTF object dimensions to track APT phishing weaponizers\" href=\"https:\/\/www.virusbulletin.com\/virusbulletin\/2020\/03\/vb2019-paper-attribution-object-using-rtf-object-dimensions-track-apt-phishing-weaponizers\/\">HTML<\/a> and <a href=\"https:\/\/www.virusbulletin.com\/uploads\/pdf\/magazine\/2019\/VB2019-Raggi-Saad.pdf\" target=\"_blank\">PDF<\/a> format as well as the recording of their VB2019 presentation.<\/p>\n<p>\u00a0<\/p>\n<p>\u00a0<\/p>\n<p style=\"text-align: center;\" width=\"100%\" height=\"420\"><iframe loading=\"lazy\" src=\"https:\/\/www.youtube.com\/embed\/GRucA4e0GYM\" frameborder=\"0\" width=\"100%\" height=\"420\" style=\"\"> <\/iframe><\/p>\n<p>\u00a0<\/p>\n<p><em><em>Have you carried out research that furthers our understanding of the threat landscape? Have you discovered a technique that helps in the analysis of malware? <\/em>The <a title=\"VB2020 call for papers - now open!\" href=\"https:\/\/www.virusbulletin.com\/blog\/2019\/12\/vb2020-call-papers-now-open\/\">Call for Papers<\/a> for VB2020 in Dublin is open until <strong>15 March<\/strong> &#8211; submit a proposal now for a chance to make it onto the programme of one of the most international threat intelligence conferences!<\/em><\/p>\n<p>outertext<br \/><a href=\"https:\/\/www.virusbulletin.com\/blog\/2020\/03\/vb2019-paper-attribution-object-using-rtf-object-dimensions-track-apt-phishing-weaponizers\/\" target=\"bwo\" >https:\/\/www.virusbulletin.com\/rss<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><img decoding=\"async\" src=\"https:\/\/www.virusbulletin.com\/files\/cache\/e15bc6875370441dbd92354dbc60edb9_f4371.png\"\/><br \/>                                 At VB2019 in London Michael Raggi (Proofpoint) and Ghareeb Saad (Anomali) presented a paper on the &#8216;Royal Road&#8217; exploit builder (or weaponizer) and how the properties of RTF files can be used to track weaponizers and their users. Today we publish both their paper and the recording of their presentation.                <\/p>\n<p>                 <a href=\"https:\/\/www.virusbulletin.com\/blog\/2020\/03\/vb2019-paper-attribution-object-using-rtf-object-dimensions-track-apt-phishing-weaponizers\/\">Read more<\/a>                                <\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[23177,10378,23176],"tags":[],"class_list":["post-17934","post","type-post","status-publish","format-standard","hentry","category-magazine","category-security","category-virusbulletin"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/17934","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=17934"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/17934\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=17934"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=17934"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=17934"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}