Rising captures a cyberattack against a business

BEIJING, Dec. 13 (Xinhua) -- The Rising Threat Intelligence Center recently captured a cyberattack against a domestic company. Through analysis, it was found that the attackers of this incident sent macro documents with Chinese words to the target through phishing emails to lure users to click and execute, and then release malicious programs, so as to achieve the purpose of uploading user data and downloading remote control Trojans.

According to Rising security experts, the sample captured in the attack was a macro document called "Yu Tongcai Weekly 1025-1031.xlsm". Further analysis revealed that the document has another name, "Consultation on provident fund issues in salaries 2021-10.xlsm".

According to experts, this document has two worksheets that control its display or hidden properties according to the macro code, by tricking users into actively executing the macro code to display different worksheets, while releasing malicious programs stored in the hard-coded form of the macro code, so as to achieve the purpose of hiding their own malicious behavior.

Through further analysis, Rising found that this macro document mainly uses macro code to release malicious programs under the Windows self-startup directory Startup. The main function of this malicious program is to establish communication with the "centos.onthewifi.com", and then upload private information such as the user's computer data, while receiving threats such as remote control Trojans from attackers.

Rising experts suggest that the majority of enterprise-level users should strengthen precautions and take the following defensive measures: do not open suspicious files; deploy gateway security products such as network security situation awareness and early warning systems; install effective anti-virus software, intercept and kill malicious documents and Trojan viruses; and timely patch system patches and patches of important software.