{
	"id": "8743ea1c-63e4-43d6-8d45-f93e432e6abd",
	"created_at": "2026-04-06T00:14:32.988908Z",
	"updated_at": "2026-04-10T13:12:26.664314Z",
	"deleted_at": null,
	"sha1_hash": "588bee6783fbc1097d878afda76d4c4528c207d1",
	"title": "A simple example of a complex cyberattack",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 122885,
	"plain_text": "A simple example of a complex cyberattack\r\nBy Vasily Berdnikov\r\nPublished: 2017-09-25 · Archived: 2026-04-02 11:00:45 UTC\r\nWe’re already used to the fact that complex cyberattacks use 0-day vulnerabilities, bypassing digital signature\r\nchecks, virtual file systems, non-standard encryption algorithms and other tricks. Sometimes, however, all of this\r\nmay be done in much simpler ways, as was the case in the malicious campaign that we detected a while ago – we\r\nnamed it ‘Microcin’ after microini, one of the malicious components used in it.\r\nWe detected a suspicious RTF file. The document contained an exploit to the previously known and patched\r\nvulnerability CVE-2015-1641; however, its code had been modified considerably. Remarkably, the malicious\r\ndocument was delivered via websites that targeted a very narrow audience, so we suspected early on that we were\r\ndealing with a targeted attack. The threat actors took aim at users visiting forums with discussions on the state-subsidized housing that Russian military personnel and their families are entitled to.\r\nA forum post with a link to the malicious document\r\nThis approach appears to be very effective, as it substantially increases the chance that a potential victim will\r\ndownload and open the malicious document: the hosting forum is legitimate, and the malicious document is\r\nnamed accordingly (“Housing acceptance procedure” in Russian).\r\nAll links in the forum messages lead to the URL address files[.]maintr**plus[.]com, where the RTF document\r\nwith the exploit was hosted. The threat actors sometimes used PPT files containing an executable PE file which\r\ndid not contain the exploit, as the payload was launched by a script embedded into the PPT file.\r\nhttps://securelist.com/a-simple-example-of-a-complex-cyberattack/82636\r\nPage 1 of 3\n\nIf a Microsoft Office vulnerability is successfully exploited, the exploit creates an executable PE file on the hard\r\ndrive and launches it for execution. The malicious program is a platform used to deploy extra (add-on) malicious\r\nmodules, store them stealthily and thus add new capabilities for the threat actors. The attack unfolds in several\r\nstages, as described below:\r\n1. 1 The exploit is activated, and an appropriate (32-bit or 64-bit) version of the malicious program is\r\ninstalled on the victim computer, depending on the type of operating system installed on it. To do this\r\ninstallation, malicious code is injected into the system process ‘explorer.exe’ rather than into its memory.\r\nThe malicious program has a modular structure: its main body is stored in the registry, while its add-on\r\nmodules are downloaded following the instruction arriving from the C\u0026C server. DLL hijacking (use of a\r\nmodified system library) is used to ensure that the main module is launched each time the system is\r\nrebooted.\r\n2. 2 The main module of the malicious program receives an instruction to download and launch add-on\r\nmodules, which opens new capabilities for the threat actors.\r\n3. 3 The malicious add-on modules provide opportunities to control the victim system, take screenshots of\r\nwindows and intercept information entered from the keyboard. We have seen them in other cyber-espionage campaigns as well.\r\n4. 4 The threat actors use PowerSploit, a modified set of PowerShell scripts, and various utilities to steal files\r\nand passwords found on the victim computer.\r\nThe cybercriminals were primarily interested in .doc, .ppt, .xls, .docx, .pptx, .xlsx, .pdf, .txt and .rtf files on the\r\nvictim computers. The harvested files were packed into a password-protected archive and sent to the threat actors’\r\nserver.\r\nOverall, the tactics, techniques and procedures that the cybercriminals used in their attacks can hardly be\r\nconsidered complicated or expensive. However, there were a few things that caught our eye:\r\nThe payload (at least one of the modules) is delivered using some simple steganography. Within traffic, it\r\nlooks like a download of a regular JPEG image; however, the encrypted payload is loaded immediately\r\nafter the image data. Microcin searches for a special ‘ABCD’ label in such a file; it is followed by a special\r\nstructure, after which the payload comes, to be decrypted by Microcin. This way, new, platform-independent code and/or PE files can be delivered.\r\nIf the Microcin installer detects the processes of some anti-malware programs running in the system, then,\r\nduring installation, it skips the step of injecting into ‘explorer.exe’, and the modified system library used\r\nfor establishing the malicious program within the system is placed into the folder %WINDIR%; to do this,\r\nthe system app ‘wusa.exe’ is used with the parameter “/extract” (on operating systems with UAC).\r\nConclusion\r\nNo fundamentally new technologies are used in this malicious campaign, be it 0-day vulnerabilities or innovations\r\nin invasion or camouflaging techniques. The threat actors’ toolkit includes the following:\r\nA watering hole attack with a Microsoft Office exploit;\r\nFileless storage of the main set of malicious functions (i.e., the shellcode) and the add-on modules;\r\nhttps://securelist.com/a-simple-example-of-a-complex-cyberattack/82636\r\nPage 2 of 3\n\nInvasion into a system process without injecting code into its memory;\r\nDLL hijacking applied to a system process as a means of ensuring automatic launch that does not leave any\r\ntraces in the registry’s autorun keys.\r\nThe attackers also make use of PowerShell scripts that are used extensively in penetration tests. We have seen\r\nbackdoors being used in different targeted attacks, while PowerSploit is an open-source project. However,\r\ncybercriminals can use known technologies as well to achieve their goals.\r\nThe most interesting part of this malicious campaign, in our view, is the attack vectors used in it. The\r\norganizations that are likely to find themselves on the cybercriminals’ target lists often do not pay any attention to\r\nthese vectors.\r\nFirst, if your corporate infrastructure is well protected and therefore ‘expensive’ to attack (i.e., an attack may\r\nrequire expensive 0-day exploits and other complicated tools), then the attackers will most likely attempt to attack\r\nyour rank-and-file employees. This step follows a simple logic: an employee’s personal IT resources (such as\r\nhis/her computer or mobile device) may become the ‘door’ leading into your corporate perimeter without the need\r\nof launching a direct attack. Therefore, it is important for organizations to inform their employees about the\r\nexisting cyber threats and how they work.\r\nSecond, Microcin is just one out of a multitude of malicious campaigns that use tools and methods that are\r\ndifficult to detect using standard or even corporate-class security solutions. Therefore, we recommend that large\r\ncorporations and government agencies use comprehensive security solutions to protect against targeted attacks.\r\nThese products are capable of detecting an ongoing attack, even if it employs only a minimum of manifestly\r\nmalicious tools, as the attackers instead seek to use legal tools for penetration testing, remote control and other\r\ntasks.\r\nThe implementation of a comprehensive security system can substantially reduce the risk of the organization\r\nfalling victim to a targeted attack, even though it is still unknown at the time of the attack. There is no way around\r\nit; without proper protection, your secrets may be stolen, and information is often more valuable than the cost of\r\nits reliable protection.\r\nFor more details of this malicious attack, please read Attachment (PDF).\r\nSource: https://securelist.com/a-simple-example-of-a-complex-cyberattack/82636\r\nhttps://securelist.com/a-simple-example-of-a-complex-cyberattack/82636\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://securelist.com/a-simple-example-of-a-complex-cyberattack/82636"
	],
	"report_names": [
		"82636"
	],
	"threat_actors": [
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434472,
	"ts_updated_at": 1775826746,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/588bee6783fbc1097d878afda76d4c4528c207d1.pdf",
		"text": "https://archive.orkl.eu/588bee6783fbc1097d878afda76d4c4528c207d1.txt",
		"img": "https://archive.orkl.eu/588bee6783fbc1097d878afda76d4c4528c207d1.jpg"
	}
}