It seems as if the new Geodo campaign is specifically targeting United States government employees. Oakbot finds its way into a system by phishing. The new Geodo campaign operates similarly to the previous campaign it was involved in. It starts as an Office document that holds malicious macros, and if they are executed they begin to download the Oakbot payload. The difference in the new campaign is that it checks the payload size and it then assures that the file being downloaded is an EXE file. At this point, Oakbot is downloaded and changes its name to 914.exe as it makes its way into the temporary folder within the system. Two separate checks, anti-analysis and anti-sandbox are running while the system is being infected which lowers its level of detection. Although it seems the campaign has a specific target at the moment, there is reason to believe it will continue to evolve and target other organizations.
When evaluating a Managed Detection & Response (MDR) service there are 5 critical components that