Are MOUSEISLAND malware procedures mitigated on this host?

This TTP downloads a ZIP file, the ZIP archive holds a Microsoft Word document that contains a macro. If Microsoft Office is installed on the host, the TTP will attempt to open the Word document.

Are MOUSEISLAND malware procedures mitigated on this host?

MOUSEISLAND was listed in CISA's "2021 Top Malware Strains" advisory and has been active since 2019. MOUSEISLAND is classified as a macro downloader. MOUSEISLAND is usually found within the embedded macros of a Microsoft Word document and can download other payloads. The primary delivery method for MOUSEISLAND is phishing.

At a high level, some of MOUSEISLAND capabilities are:

  • Initial access - Usually delivered in phishing emails as a malicious attachment.
  • Execution - Malicious Office files are executed to initiate additional stages or run a payload.
    This TTP was designed to emulate MOUSEISLAND's execution capabilities. Microsoft Defender may flag this TTP as `TrojanDownloader:O97M/Donoff.PL`.

Testing

Execute `Are MOUSEISLAND malware procedures mitigated on this host?` in Operator on each host in your environment to test if you are vulnerable.

This TTP will download a zip file containing an MS Word document with a macro. If 7zip is installed, the TTP will download a password-protected archive and extract the Word document using the password (`prelude`). If 7zip is not installed, the TTP will download a zip that is not password-protected and use Expand-Archive to extract the file. A new directory, Documents, is created in `$env:temp`. The TTP will perform a conditional check to verify if the Word document, `documento-03.26.2021_9657652.doc`, was extracted successfully and is on disk. A second conditional check is performed to check if MS Word is installed at the following path, C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE. If MS Word is found, the TTP will attempt to open the Word doc. Most likely, the ability to auto-execute macros in Word documents is set to its default value and requires human interaction to enable the feature. Since it should be disabled, the macro will not run. After 5 seconds, the TTP attempts to stop the Microsoft Word process and delete all artifacts.

Remediation

CISA lists ‘Immediate Actions You Can Take Now to Protect Against Malware’. One of the actions listed is to provide end-user awareness and training about social engineering and phishing. This is important since the vector for initial access is via phishing. To further protect your systems, ensure Microsoft Word is configured to block automatic macro execution.

Staying up to date

Thanks for reading our latest TTP Tuesday release! Please subscribe and reach out with any feedback. We love to hear from our community!

There are several ways to follow us and learn more about Prelude and our team members:

Get our products

Download Prelude Operator: https://www.prelude.org/download/current

See the latest kill chain and TTP Releases: https://chains.prelude.org

See our open-source repositories: https://github.com/preludeorg

Join our community

Discord: https://discord.gg/gzUv4XNquu

Reddit: https://www.reddit.com/r/preludeorg/

Twitter: https://twitter.com/preludeorg

Read, watch, and listen

Listen to our Podcast: https://anchor.fm/preludeorg

Read our blog: https://feed.prelude.org

Watch our live streams: https://www.twitch.tv/preludeorg

Watch our pre-recorded content: https://www.youtube.com/c/preludeorg

Follow our team

David: https://twitter.com/privateducky

Alex: https://twitter.com/khyberspache

Kris: https://twitter.com/Xanthonus

Octavia: https://twitter.com/VV_X_7

Bart: https://twitter.com/bartimusprimed

Waseem: https://twitter.com/gerbsec

Sam: https://twitter.com/heavenraiza

Source: https://feed.prelude.org
Read more

Execute this chain

Download Operator (1.7.0)
Learn about Operator

TTPs

Are MOUSEISLAND malware procedures mitigated on this host?

Tactics