On 13 January, a malicious .docx file was uploaded to Virus Total. The attacker who created the malicious file used several of Mitiga’s publicly available branding elements including logo, fonts and colors, to lend credibility to the document.

It should be stressed that:  (i) Mitiga’s network and cloud environment were not breached; (ii) the malicious document is unrelated to any activity conducted by Mitiga (e.g. red team exercises); and (iii) the file was created by a threat actor, most likely for use as part of phishing or malware spreading campaigns.

During preliminary research conducted by our team we discovered the following:

1. In addition to Mitiga’s branding elements, the .docx file contained a job description for “Raytheon Technologies”.

2. The .docx file contained downloadable content from a malicious URL address that is no longer active.

3. The URL address is connected to a wider campaign whose Command-and-Control (C2) uses domains abusing other well-known brands, including Dropbox, Microsoft, Adobe and Imgur.

4. The C2 infrastructure is connected to an older campaign dating back as early as 2019. The older campaign appears to have focused on targets in Republika Srpska of Bosnia and Herzegovina.

5. The campaign’s indicators of compromise (IOCs) are:

• .docx file (Sha256): ea69141d912626d60d57b68a38281347cde100eec728aa649efc6d6769948125

• IP addresses: 185.205.210.24, 193.37.213.252, 185,203,118.2

• Domains: dropbox-online[.]com, imgur-online[.]com, imguronline[.]com, adobe-view[.]com, adobe-documents[.]com, microsoft[.]update-store[.]com, share-download[.]com, safe-redirect[.]pw, elvacometpro[.]co

Recommendations

• If you have received a fake Mitiga document, please contact us.
• Mitiga distributes documents to external entities using the PDF file format. In the event the use of a .docx is necessary, Mitiga never asks recipients to enable macros or external content. If you receive an unexpected email attachment purporting to be from Mitiga, please treat it with caution.