Threat actors have devised a new trick to disable macro security warning that leverage non-malicious docs in phishing attacks.
Most of the phishing attacks leverage weaponized Microsoft Office documents and social engineering techniques to trick recipients into enabling the macros.
Now experts from McAfee Labs warn of a novel technique used by threat actors that are using non-malicious documents to disable security warnings prior to executing macro code on the recipient’s PC.
Hackers downloads and executes malicious DLLs (ZLoader) without any malicious code present in the initial spammed attachment macro.
Zloader has been active at least since 2016, it borrows some functions from the notorious Zeus 2.0.8.9 banking Trojan and was used to spread Zeus-like banking trojan (i.e. Zeus OpenSSL)
The attack chain starts with a phishing message using a Microsoft Word document that once opened, downloaded a password-protected Microsoft Excel file from a remote server.
The downloads could start only after the victim has enabled the macros embedded in the Word document.
“After downloading the XLS file, the Word VBA reads the cell contents from XLS and creates a new macro for the same XLS file and writes the cell contents to XLS VBA macros as functions.” read the analysis published by McAfee. “Once the macros are written and ready, the Word document sets the policy in the registry to ‘Disable Excel Macro Warning’ and invokes the malicious macro function from the Excel file. The Excel file now downloads the ZLoader payload. The ZLoader payload is then executed using rundll32.exe.”
Upon downloading the XLS file, the Word VBA reads the content of the cells from XLS and uses it to create a new macro for the same XLS file and writes the cell contents to XLS VBA macros as functions.
Once the macros are completed, the Word document disables the macro security warnings by setting the policy in the registry (HKEY_CURRENT_USERSoftwareMicrosoftOffice12.0ExcelSecurityAccessVBOM) to Disable Excel Macro Warning and executes the malicious macro function of the Excel file.
Then the Excel file downloads and executes the Zloader payload using rundll32.exe.
“Malicious documents have been an entry point for most malware families and these attacks have been evolving their infection techniques and obfuscation, not just limiting to direct downloads of payload from VBA, but creating agents dynamically to download payloads,” the researchers conclude. “Usage of such agents in the infection chain is not only limited to Word or Excel, but further threats may use other living off the land tools to download its payloads.”
Follow me on Twitter: @securityaffairs and Facebook
(SecurityAffairs – hacking, phishing)
Share On
Pierluigi Paganini
Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at “Cyber Defense Magazine”, Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog “Security Affairs” recently named a Top National Security Resource for US. Pierluigi is a member of the “The Hacker News” team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books “The Deep Dark Web” and “Digital Virtual Currency and Bitcoin”.
Threat actors have devised a new trick to disable macro security warning that leverage non-malicious docs in phishing attacks.
Most of the phishing attacks leverage weaponized Microsoft Office documents and social engineering techniques to trick recipients into enabling the macros.
Now experts from McAfee Labs warn of a novel technique used by threat actors that are using non-malicious documents to disable security warnings prior to executing macro code on the recipient’s PC.
Hackers downloads and executes malicious DLLs (ZLoader) without any malicious code present in the initial spammed attachment macro.
Zloader has been active at least since 2016, it borrows some functions from the notorious Zeus 2.0.8.9 banking Trojan and was used to spread Zeus-like banking trojan (i.e. Zeus OpenSSL)
The attack chain starts with a phishing message using a Microsoft Word document that once opened, downloaded a password-protected Microsoft Excel file from a remote server.
The downloads could start only after the victim has enabled the macros embedded in the Word document.
“After downloading the XLS file, the Word VBA reads the cell contents from XLS and creates a new macro for the same XLS file and writes the cell contents to XLS VBA macros as functions.” read the analysis published by McAfee. “Once the macros are written and ready, the Word document sets the policy in the registry to ‘Disable Excel Macro Warning’ and invokes the malicious macro function from the Excel file. The Excel file now downloads the ZLoader payload. The ZLoader payload is then executed using rundll32.exe.”
Upon downloading the XLS file, the Word VBA reads the content of the cells from XLS and uses it to create a new macro for the same XLS file and writes the cell contents to XLS VBA macros as functions.
Once the macros are completed, the Word document disables the macro security warnings by setting the policy in the registry (HKEY_CURRENT_USERSoftwareMicrosoftOffice12.0ExcelSecurityAccessVBOM) to Disable Excel Macro Warning and executes the malicious macro function of the Excel file.
Then the Excel file downloads and executes the Zloader payload using rundll32.exe.
“Malicious documents have been an entry point for most malware families and these attacks have been evolving their infection techniques and obfuscation, not just limiting to direct downloads of payload from VBA, but creating agents dynamically to download payloads,” the researchers conclude. “Usage of such agents in the infection chain is not only limited to Word or Excel, but further threats may use other living off the land tools to download its payloads.”
Follow me on Twitter: @securityaffairs and Facebook
(SecurityAffairs – hacking, phishing)