Threat Spotlight – MAN1 Malware: Temple of Doom


In a previous post, we took a long journey into the malicious world of Man1 group. We investigated a malicious macro embedded in a Word document sent via email. The macro is just the first phase of the attackers’ nefarious plot.

Today, we will dive deeper into the macro and look at the point where the macro transforms itself from VisualBasic to machine instructions.  We’ll pick up where we left off, walking the reader through the steps of loading the raw code into memory, decoding the malware and providing details on how to extract the malware from a debugged process.


Remember, the Hancitor sample we examined in Part 1 is associated with the Man1 Group. As we dig deeper into the Man1 Group, we can learn the attackers’ tactics and techniques in order to track their campaign and watch for/anticipate changes. With that information, we can do a better job of blocking attacks similar to the ones we’re seeing with Man1.

In fact, between the time we started this journey today, a few changes to the malicious macro have been noted. Making changes to malicious files or payloads is a common tactic leveraged by attackers, as it aids in avoiding detection and it’s much easier than recreating the wheel by creating brand new malware.

We will cover those tactics and changes as we ascertain more about the malware and its behavior. Part three of this research will be published shortly and you will get to see the subtle changes.

Last Time

In our previous post, you learned about Man1 group’s primary method of attack. Attackers were sending malicious emails containing Word documents with malicious and interesting macros. We also talked about some of their techniques, tactics and procedures (TTP), such as the servers they used and (Read more...)

*** This is a Security Bloggers Network syndicated blog from Cylance Blog authored by Cylance Threat Guidance Team. Read the original post at: