Canada and the U.S. are among the countries where hackers are trying a new tactic for bypassing protections from macro-based malware in Microsoft Office, according to a new report from McAfee.
Using macro obfuscation, Windows tools and legacy supported XLS formats, the campaign downloads and executes malicious DLLs without any malicious code present in the initial email attachment.
Briefly, a victim gets a phishing email with a Microsoft Word document attachment. If the document is opened, a password-protected Microsoft Excel file is downloaded.
By default, Microsoft Office has macros turned off to protect against infected macros automatically executing. However, the hackers have created a trick message saying the document was created in a previous version of Word, and asks the victim to click on the ‘Enable editing’ and Enable content’ buttons. That enables macros to run.
The box the message appears in stores all content required to connect to a remote Excel document, including the password needed to open the malicious document. Hidden in Excel cells is code that creates a new VBA (Visual Basic) module to create an XLS macro. This macro in turn modifies a registry key to disable trust access for VBA on the victim’s computer without any Microsoft Office warnings. Then a malicious file called zloader.dll can be downloaded from a command and control server.
“Malicious documents have been an entry point for most malware families,” the blog notes, “and these attacks have been evolving their infection techniques and obfuscation, not just limiting to direct downloads of payload from VBA, but creating agents dynamically to download payload as we discussed in this blog. Usage of such agents in the infection chain is not only limited to Word or Excel, but further threats may use other living off the land tools to download its payloads.”
McAfee advises all users to avoid opening any email attachments or clicking any links present in the mail without verifying the identity of the sender. “Always disable the macro execution for Office files,” the blog authors say.