On March 24, 2017, it was reported that at least a dozen Saudi Arabian organizations had been targeted by a spear phishing attempting to steal confidential data. The attack originated from a phishing email in Arabic with an attached Word document that infects the user’s system before sending the same email and document to the target’s contacts via Outlook. The malicious code is executed via a Macro, before stealing information and uploading it to a remote server.
According to the report, the payload is contained in the macro as Base64 code, using the certutil program to decode the Base64 into a PE file, which is then executed. The binary is coded in .NET and not obfuscated, which is a method often used to hide the source of an attack payload from inspection by network security systems. The main payload is joined by two helper dynamic-link library modules, which is a collection of small programs used to assist in running larger programs on a PC.
Source: silicon.co.uk, March 24, 2017.