Threat actors can use container file formats such as ISO (.iso), RAR (.rar), ZIP (.zip), and IMG (.img) files to send macro-enabled documents. When downloaded, the ISO, RAR, etc. files will have the MOTW attribute because they were downloaded from the internet, but the document inside, such as a macro-enabled spreadsheet, will not. When the document is extracted, the user will still have to enable macros for the malicious code to automatically execute, but the file system will not identify the document as coming from the web.
BRONZE PRESIDENT targets specific data types. The threat actors use custom batch scripts to create a list of files with predefined criteria and collate the identified files into a .rar archive (see Figure 9). CTU researchers have observed BRONZE PRESIDENT batch scripts named doc.bat, xls.bat, xlsx.bat, ppt.bat, pptx.bat, pdf.bat, and txt.bat.
Sensitive information was collected, including SSH keys, VPN certificates, and more. The threat actor managed to obtain plaintext credentials of a user with read access to multiple Git repositories, and the source code was downloaded using a tool called git2.exe. To exfiltrate all this collected data, threat actors used rar.exe utility to split files into a collection of 2GB archives. Both data and headers were encrypted for these archive files and protected by the password CIA@NSA@FBI (very subtle). Before exfiltration, all files were renamed from .rar to .jpg and stored in a folder accessible from the internet. 041b061a72