Malicious stager
A stager is a small payload instructing the computer to pull down the next phase of malicious code.
Stagers may be malicious pieces of code inserted into documents to weaponize them. Detection of stagers can be challenging because the code is small and appears benign. However, the stager will instruct the computer to make an external call to download a malicious piece of code and execute. Applications such as Microsoft Word, Powershell, Adobe, and etc may make an HTTP request with an application specific user-agent.
Targeted applications
- Microsoft Office
- Adobe PDF reader
Malware/Threat actors
| Name | Type | Years | Source |
|---|---|---|---|
| APT38 | threat actor | 2014-2018 | rpt-apt38-2018-web_v4.pdf
|
| Wild Neutron | threat actor | 2013-2015 | WildNeutron_Economic_espionage.pdf
ICIT-Brief-Know-Your-Enemies-2.0.pdf |
Preventions
- Microsoft Office has an option to only allow Microsoft signed macros to run.
- Keep applications up to date
Detections
Monitor the user-agent field in HTTP for applications like Microsoft Office, Powershell, and Adobe making external connections to unknown entities.
Toolkit
<Toolkit instructions, if applicable>
Similar techniques
References
[<Source name>](<Source link>)