Double Deceit: Bad Things Come in Pairs
The chinese proverb may say that good things come in pairs, but in what appears to be a clever bit of social and technical engineering, we’ve discovered a new email threat carrying not one, but two different malicious attachments as bait, specifically a PDF file and a Microsoft Template file (OpenXML/DOTX), targeting a previously reported Microsoft Office vulnerability in order to deliver the remote access trojan (RAT) known as NetWiredRC. We believe the use of two attachments is intended to make the email seem more legitimate to recipients. Typically hackers only send one malicious attachment—by sending two, the hackers increase the chances that the target will open at least one of them. In addition, the techniques applied within the attachments add a few layers of complexity in both the delivery of the exploit and the final payload, and are intended to help evade detection.