A word document as an attachment was sent to victims, exploited vulnerability in Microsoft Office (CVE-2012-0158), which subsequently drops a malware installer named “”. Sometimes the simplest techniques can foil complex systems created by security firms and large enterprises to detect malicious programs and files. The malware will only run after reboot. This is one effective way to evade sandbox automatic analysis, as malicious activity will only reveal after a reboot. The RAT (svchost_.exe) will collaborate with its relay (sss.exe) to communicate with the command and control server at liumingzhen.zapto.org / 123.51.208.
Source: https://thehackernews.com/2013/10/terminator-rat-became-more.html