Cmstar Downloader: Lurid and Enfal's New Cousin
In recent weeks, Unit 42 has been analyzing delivery documents used in spear-phishing attacks that drop a custom downloader used in cyber espionage attacks. This specific downloader, Cmstar, is associated with the Lurid downloader also known as ‘Enfal’. Cmstar was named for the log message ‘CM**’ used by the downloader.
Unit 42 is aware of threat actors using two toolkits - MNKit and the Tran Duy Linh toolkit - to produce malicious documents that exploit CVE-2012-0158...