Canada among key targets of new Office Macro transition strategy
Canada among key targets of new Office Macro transition strategy
Canada and the US are among countries where hackers are trying a new strategy to circumvent protection from macro-based malware in Microsoft Office, according to a new report from McAfee.
Using macro obfuscation, Windows tools and legacy supported XLS format, Campaign downloads and executes the malicious DLL without any of the malicious code present in the initial email attachment.
In short, the victim receives a phishing email with a Microsoft Word document attachment. If the document is opened, the password-protected Microsoft Excel file is downloaded.
By default, Microsoft Office has automatically turned off macros to protect it from executing infected macros. However, the hackers have created a trick message saying that the document was created in a previous version of Word, and asks the victim to 'Enable editing' and click on the Enable content button. This enables macros to be run.
The box in which the message appears stores all the content needed to connect to the remote Excel document, including the password needed to open the malicious document. Code is hidden in an Excel cell that creates a new VBA (Visual Basic) module to create an XLS macro. This macro in turn modifies a registry key to disable trust access for VBA on the victim's computer without any Microsoft Office warnings. Then a malicious file called zloader.dll can be downloaded from a command and control server.
"Malicious documents have been an entry point for most malware families," notes the blog, "and these attacks are evolving their infection techniques and obscurity, limited not only to direct downloads of payloads from VBA, but to payloads." To download dynamically creating agents. We discussed in this blog. The use of such agents in the transition chain is not limited to Word or Excel only, but to download its payload to other live devices There are other hazards that you can use.
McAfee advises all users to avoid opening any email attachments or clicking on any links in Mail without verifying the identity of the sender. "Always disable macro execution for Office files," says the blog author.
No comments