Threat Research

Netskope Threat Coverage: Menorah

Securonix

Netskope analyzed a malicious Word document delivering a backdoor named Menorah attributed to APT34, distributed via spear-phishing and obfuscated VBA. The payload drops a .NET executable, persists via a scheduled task, and communicates with a C2 server over HTTP to receive commands. #Menorah #APT34 #OneDriveStandaloneUpdater #tecforsc #gtempurl #OfficeMacros

Keypoints

  • The malware is linked to the APT34 group and distributed through spear-phishing using a malicious Word document.
  • Initial user action (enabling macros) triggers execution; the document shows a blank page with an instruction to enable macros.
  • VBA code is password protected and macros are obfuscated with Chr() to bypass detections; the real payload is base64-encoded after deobfuscation.
  • The macro decodes strings and uses XSL/TransformNode on the DOMDocument to execute VBScript, dropping Menorah.exe (a DOTNET binary).
  • A scheduled task named “OneDriveStandaloneUpdater” provides persistence for the backdoor.
  • Backdoor communicates with a C2 server over HTTP, sending a fingerprint in base64 and XORed with “Q&4g”; responses include commands such as whoami.

MITRE Techniques

  • [T1566.001] Spearphishing Attachment – The Word document was distributed via spear-phishing to deliver the payload. ‘distributed via spear-phishing’
  • [T1204.002] User Execution – Initial file open requires user action to enable macros. ‘Initially, opening the file will show a blank document with an instruction to enable macros.’
  • [T1027] Obfuscated/Compressed Files and Information – VBA project is password protected and macros are obfuscated using the Chr( ) function. ‘password protected and macros are obfuscated using the Chr( ) VBA function’
  • [T1059.005] VBScript – VBScript code executes as part of the macro and XSL/VBScript interaction occurs. ‘The XSL strings contain the VBScript code and XSL execution is performed using the TransformNode method of the DOMDocument COM object.’
  • [T1053.005] Scheduled Task – A scheduled task named “OneDriveStandaloneUpdater” is created for persistence. ‘scheduled task is named “OneDriveStandaloneUpdater”’
  • [T1071.001] Web Protocols – The backdoor communicates with a C2 server over HTTP; C2 interaction pattern. ‘Periodic HTTP POST requests are sent to the C2 server in a fixed 32-second interval with encapsulated data.’

Indicators of Compromise

  • [MD5] – 64f8dfd92eb972483feaf3137ec06d3c – sample hash of Menorah
  • [SHA-1] – 3d71d782b95f13ee69e96bcf73ee279a00eae5db – sample hash
  • [SHA-256] – 8a8a7a506fd57bde314ce6154f2484f280049f2bda504d43704b9ad412d5d618 – sample hash
  • [Dropped File] Dropped executable path – C:programdataoffice356menorah.exe
  • [Network] C2 URL – http[:]//tecforsc-001-site1[.]gtempurl[.]com/ads.asp

Read more: https://www.netskope.com/blog/netskope-threat-coverage-menorah

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint