Microsoft Office Document Designed to Bypass Anti-Virus Used to Target NJ State Systems

The NJCCIC recently detected threat actors employing sophisticated evasion techniques to attempt to bypass anti-virus detection and install malware onto State information assets. The tactic, covered extensively by FireEye here, uses the command line, PowerShell, and code obfuscation to make analysis more difficult. If successful, a Microsoft Office document with macros enabled executes code that installs the Emotet banking trojan onto targeted systems. Luckily, the State’s defenses were able to identify this threat; however, others may not be as fortunate. The NJCCIC recommends organizations educate staff on this and similar threats, reminding them to avoid opening attachments from unsolicited/untrusted sources; ensure Microsoft Office macros are disabled by default; and deploying endpoint detection and response (EDR) protection which is capable of monitoring suspicious command line usage and indicators of attack.