This February, during our hunting efforts for threat actors using VBS/VBA implants, Kaspersky researchers came across MS Excel droppers that use hidden spreadsheets and VBA macros to drop their first stage implant. The implant itself is a VBS script with functionality to collect system information and execute arbitrary code sent by the attackers on the infected machine.
Although these intrusion sets may appear similar to the new MuddyWater first stage VBS implant used for reconnaissance and profiling activities, which Kaspersky researchers described recently in a private report, they have slightly different TTPs and wider targeting. To date, most of the known victims are located in the Middle East, but there are also targets in other regions. Various industries are affected by this campaign. The main focus is on government and diplomatic entities, though we also noticed an unusual targeting of law firms and financial institutions.