Seduploader

Seduploader is a type of malware, a harmful program designed to exploit and damage computer systems. This malware can infiltrate systems through various channels such as suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside a system, it can steal personal information, disrupt operations, or even hold data hostage for ransom. The payload features of Seduploader are similar to its previous versions, but in recent attacks, there's no evidence to suggest that the previously used tool, SofacyCarberp (Seduploader), was involved. The latest variant of Seduploader has been found to be dropped and executed by Visual Basic for Applications (VBA). Unlike previous campaigns carried out by this actor, this new version does not contain privilege escalation; instead, it simply executes the payload and sets up persistence mechanisms. Open Source Snort Subscriber Rule Set customers can stay updated by downloading the most recent rule pack available for purchase on Snort.org. In terms of functionality, Seduploader boasts several features including screenshot capture using the GDI API, data/configuration exfiltration, execution of code, and file downloading. The Command & Control (CC) of the analyzed sample is myinvestgroup[.]com. The key in our version is: key=b"\x08\x7A\x05\x04\x60\x7c\x3e\x3c\x5d\x0b\x18\x3c\x55\x64" and the MUTEX name is different too: FG00nxojVs4gLBnwKc7HhmdK0h. The IOCs Files Office Documents and Seduploader Dropper have also been identified and analyzed.