At a high level, some of MOUSEISLAND capabilities are:
Are MOUSEISLAND malware procedures mitigated on this host?in Operator on each host in your environment to test if you are vulnerable.
This TTP will download a zip file containing an MS Word document with a macro. If 7zip is installed, the TTP will download a password-protected archive and extract the Word document using the password (
prelude). If 7zip is not installed, the TTP will download a zip that is not password-protected and use Expand-Archive to extract the file. A new directory, Documents, is created in
$env:temp. The TTP will perform a conditional check to verify if the Word document,
documento-03.26.2021_9657652.doc, was extracted successfully and is on disk. A second conditional check is performed to check if MS Word is installed at the following path, C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE. If MS Word is found, the TTP will attempt to open the Word doc. Most likely, the ability to auto-execute macros in Word documents is set to its default value and requires human interaction to enable the feature. Since it should be disabled, the macro will not run. After 5 seconds, the TTP attempts to stop the Microsoft Word process and delete all artifacts.
Thanks for reading our latest TTP Tuesday release! Please subscribe and reach out with any feedback. We love to hear from our community!
There are several ways to follow us and learn more about Prelude and our team members:
Download Prelude Operator: https://www.prelude.org/download/current
See the latest kill chain and TTP Releases: https://chains.prelude.org
See our open-source repositories: https://github.com/preludeorg
Listen to our Podcast: https://anchor.fm/preludeorg
Read our blog: https://feed.prelude.org
Watch our live streams: https://www.twitch.tv/preludeorg
Watch our pre-recorded content: https://www.youtube.com/c/preludeorg