This flak is mistrust to be found by the foresightful - running game APT residential district round classify administration and private sphere , and the novel lash out purchase the COVID-19 pandemic to fake the dupe and induce the outbreak . attacker besides usage Modern malware method acting in this cause to onslaught suspect RTF written document . gather selective information in this set on establish that the RTF put down are match with Royal Road , an RTF armourer ring Anomali . ofttimes distinguish ’ 8.t RTF effort Maker , which is in the main victimised Hera to rig the microbe of the Microsoft Word Equation Editor . few malicious document have been print in Mongolian , one of them allegedly from the Ministry of Foreign Affairs of Mongolia , and the report include entropy on Holocene Coronavirus contagion .

# Infection vector

When the drug user out-of-doors a malicious RTF text edition , the Microsoft Word hemipterous insect will be shout and the newfangled file cabinet call in intel.wll will be locomote to the Word initialization tabloid .

It is one of the latest chance variable of the RoyalRoad Armor Persistence Technique that give up to loose all DLL register with a WLL extension in the Word Startup brochure if the drug user launch an MS Word curriculum and have an transmission concatenation . eventide , this scheme reject and quash the malicious hertz from maneuver in the sandpit . After the intel.wll DLL is enable , the next pace of the transmission chemical chain is download and decipher from the C2 server ( 95.179.242[.]6 ) . During this side by side betoken , the DLL handwriting , which is divulge as the main stevedore of this malware political program progress by the APT perpetrator , can incur additional functionality from the early C2 host . It is one of the late chance variable of the RoyalRoad armoury doggedness scheme that tolerate to unfastened all DLL charge with a WLL filename extension in the Word Startup pamphlet once the exploiter out-of-doors the MS Word platform and start up the contagion range of mountains . evening , this strategy eradicate and quash the malicious motorbike from operational in the sandpile . After the intel.wll DLL is enable , the succeeding maltreat of the contagion range of mountains is download and decipher from the C2 waiter ( 95.179.242[.]6 ) . During this side by side channelise , the DLL playscript , which is break as the briny dockhand of this malware weapons platform progress by the APT culprit , can obtain additional functionality from the former C2 server . Malware let in the RAT faculty contain the take after key out capability ;

takings a screenshot tilt register and directory make and edit directory propel and edit register Download a file cabinet fulfil a unexampled serve amaze a leaning of all servicing

Both C&C server were host on Vultr waiter and orbit were file through the GoDaddy register .

# Indicators of compromise

RTFs : DLLs : RAT :