Tuesday, August 9, 2022

Canada among prime targets of new Office macro infection tactic

Canada and the U.S. are among the countries where hackers are trying a new tactic for bypassing protections from macro-based malware in Microsoft Office, according to a new report from McAfee.

Using macro obfuscation, Windows tools and legacy supported XLS formats, the campaign downloads and executes malicious DLLs without any malicious code present in the initial email attachment.

Briefly, a victim gets a phishing email with a Microsoft Word document attachment. If the document is opened, a password-protected Microsoft Excel file is downloaded.

By default, Microsoft Office has macros turned off to protect against infected macros automatically executing. However, the hackers have created a trick message saying the document was created in a previous version of Word, and asks the victim to click on the ‘Enable editing’ and Enable content’ buttons. That enables macros to run.

Image from McAfee zloader report
This popup encourages victims to disable Office protection. Image from McAfee

The box the message appears in stores all content required to connect to a remote Excel document, including the password needed to open the malicious document. Hidden in Excel cells is code that creates a new VBA (Visual Basic) module to create an XLS macro. This macro in turn modifies a registry key to disable trust access for VBA on the victim’s computer without any Microsoft Office warnings. Then a malicious file called zloader.dll can be downloaded from a command and control server.

“Malicious documents have been an entry point for most malware families,” the blog notes, “and these attacks have been evolving their infection techniques and obfuscation, not just limiting to direct downloads of payload from VBA, but creating agents dynamically to download payload as we discussed in this blog. Usage of such agents in the infection chain is not only limited to Word or Excel, but further threats may use other living off the land tools to download its payloads.”

McAfee advises all users to avoid opening any email attachments or clicking any links present in the mail without verifying the identity of the sender. “Always disable the macro execution for Office files,” the blog authors say.

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.


Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@] soloreporter.com

Related Tech News

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.