Reverse engineering DUBNIUM (Microsoft Malware Protection Center)

“In most cases, the daily operation of the DUBNIUM APT depends on social engineering through spear-phishing. They are observed to mainly rely on an .LNK file that has an icon that looks like a Microsoft Word file. If the victim clicks the file thinking it’s a Microsoft Office Word file, it downloads a simple dropper that will download and execute next stage binary – which in this case, has the file name of kernelol21.exe.”

Source: Reverse engineering DUBNIUM –Stage 2 payload analysis – Microsoft Malware Protection Center

Continue Reading