Spy malware has been delivered through Office macros for a decade: Report

Security teams are being warned of a just-discovered family of malicious Microsoft Office macros which may have been quietly in use for a decade.

Researchers at Palo Alto Networks said Monday they have identified and collected over 40 variants of the previously unpublished malware family they dub “Infy.”

“We believe that we have uncovered a decade-long operation that has successfully stayed under the radar for most of its existence as targeted espionage originating from Iran,” says the report. “It is aimed at governments and businesses of multiple nations as well as its own citizens.”

The discovery started 12 months ago when Palo Alto Networks detected two e-mails carrying malicious documents from a compromised Israeli Gmail account used by an Israeli industrial organization. One e-mail carried a Microsoft PowerPoint file named “thanks.pps” (VirusTotal), the other a Microsoft Word document named “request.docx”. Around the same time the vendor also captured an e-mail containing a Word document (“hello.docx”) with an identical hash as the earlier Word document, this time sent to a U.S. government recipient.

Attacks using Infy typically start with a spear-phishing e-mail carrying a Word or PowerPoint document, researchers say, which contains a multi-layer Self-Extracting Executable Archive (SFX). If a PPS file, when clicked the user sees a PowerPoint page that mimics a paused movie. That encourages the victim to clicking “Run,” which allows the embedded SFX file to execute.

The executable installs the mail payload, a DLL filed that writes to the autorun registry key, and doesn’t activate until a reboot. After reboot, it first checks for antivirus and then connects to a command and control server (C2). It starts collecting environment data from the infected system, initiates a keylogger, and steals browser passwords and content such as cookies, before exfiltrating the stolen data to the C2 server.

Researchers found a file with an identical hash as the originally-discovered malicious PowerPoint file but a different filename (“syria.pps”), uploaded to VirusTotal in May of 2015. A characteristic observed across these campaigns is that the actor puts deliberate effort into the specific geographic targeting, with region-specific attack content. They also found a report by the Danish Defense Intelligence Service’s Center for Cybersecurity, which had observed similar attacks against Danish government targets. In addition they found additional malware and campaigns based on infrastructure, hashes, strings, and payload links and other similarities.

Based on a specific encoding technique and key found researchers identified related Infy samples from as early as mid 2007 in VirusTotal, a free service that analyzes suspicious files and URLs. There is evidence that the C2 domain associated with the oldest sample found that it may have been at work as far back as December 2004.

Fortunately, most of the associated malware samples dating back over the last five years were eventually detected by antivirus programs, says the report, but in most cases with a generic signature.

At any rate, it’s another example of why CISOs have to initiate enterprise-wide campaigns to regularly remind employees to slow down and carefully read email, particularly those that include attachments — and before clicking on attachments make a phone call and check if the sender is legit. Having up to date antimalware and software helps as well.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@] soloreporter.com

Featured Articles

Empowering the hybrid workforce: how technology can build a better employee experience

Across the country, employees from organizations of all sizes expect flexibility...

What’s behind the best customer experience: How to make it real for your business

The best customer experience – the kind that builds businesses and...

Overcoming the obstacles to optimized operations

Network-driven optimization is a top priority for many Canadian business leaders...

Thriving amid Canada’s tech talent shortage

With today’s tight labour market, rising customer demands, fast-evolving cyber threats...

Staying protected and compliant in an evolving IT landscape

Canadian businesses have changed remarkably and quickly over the last few...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now