State-backed hackers are targeting security researchers in their latest campaign. They are sending malware infested documents disguised as advertisement for a cybersecurity conference. The malware variant is Seduploader, and has been used in previous campaigns by Fancy Bear. Their ultimate objective is espionage. I hope all of the researchers targeted follow their own advice that they constantly give all of us.



The VBA drops and executes a new variant of Seduploader. This reconnaissance malware has been used by Group 74 for years and it is composed of 2 files: a dropper and a payload. The dropper and the payload are quite similar to the previous versions but the author modified some public information such as MUTEX name, obfuscation keys… We assume that these modifications were performed to avoid detection based on public IOCs.

The article describes the malicious document and the Seduploader reconnaissance malware, especially the difference with the previous versions.

Discussion

Source: [H]ardOCP – Hackers Target Security Researchers With Malware-Laden Document