A spear phishing campaign initiated by APT-c-35 group targeting Pakistani official observed by Rewterz threat intelligence forum. As per the detailed analysis, of Excel file, it was observed that Excel contains 20 different worksheets and malicious macro codes embedded in it. It was also observed that when victim opens a document, a macro (workbook_open) executed which shows a message box to the victim that ‘Microsoft Excel stopped working’ (Hardcoded in macro). In parallel, it then executes batch file (named as s.bat) which contains step by step instruction of creation of folder and files ‘Temp’ & ‘Appdata’ (Hardcoded in the code). Once created, it then hide files & folder and save computer name in another file name (agnia) created by attacker in Appdata folder. Once creation of files & folders done and attacker hide attribute of the files then it extract actual payload dll named as ‘sqmap.dll’ in created directory (Appdata folder).
A detailed analysis of this attack is also available on our Threat Intelligence blog.