It seems as if the new Geodo campaign is specifically targeting United States government employees. Oakbot finds its way into a system by phishing. The new Geodo campaign operates similarly to the previous campaign it was involved in. It starts as an Office document that holds malicious macros, and if they are executed they begin to download the Oakbot payload. The difference in the new campaign is that it checks the payload size and it then assures that the file being downloaded is an EXE file. At this point, Oakbot is downloaded and changes its name to 914.exe as it makes its way into the temporary folder within the system. Two separate checks, anti-analysis and anti-sandbox are running while the system is being infected which lowers its level of detection. Although it seems the campaign has a specific target at the moment, there is reason to believe it will continue to evolve and target other organizations.
Analyst Notes
Be cautious when opening unrecognized mail, and if the message contains an attached document do not open it. The message can be forwarded to the appropriate party to verify its legitimacy, which would give them the opportunity to inform the rest of the company if it turns out to be a phishing campaign.
