Excel Document Used as Entry Point for Info-Stealer

Analysis of a malicious Excel reported by Fortinet researcher, Pei Han Liao details the distribution of a information stealing malware. This campaign was observed in January 2024 and is attributed a Vietnamese threat actor. The initial stage involves an Excel document with a VBA script executing a PowerShell command to download a malicious script from an external source. Subsequent stages utilize obfuscated scripts and downloaders, including a Python script, to deploy an information stealer onto the victim's system. The final payload, a Python-based info-stealer, targets various browsers to collect cookies and login data, compressing them into a zip file and sending them to the attacker's telegram bot for further exploitation.

Moreover, the attackers leverage open platforms such as GitLab repositories to host and distribute their malicious payloads, further complicating detection efforts. Analysis of the campaign also revealed links to other malware variants used in separate campaigns, indicating a broader threat landscape orchestrated by the same threat actor. Additionally, clues to another campaign were uncovered through the examination of the telegram bot used by the threat actor. The threat actor appears to be expanding its capabilities since their initial signs of activity in August 2023.