Researchers discovered that hackers are using a sophisticated phishing attack strategy in which non-malicious documents are used to disable Macro security alerts before executing macro code on targeted machines.
According to McAfee Labs experts, the new technique involves downloading and running malicious DLLs (ZLoader) without any malicious code contained in the initial spammed attachment macro in order to avoid detection.
This approach was used to spread ZLoader infections particularly in the United States, Canada, Spain, Japan, and Malaysia.
The malware, which is a descendant of the infamous ZeuS banking trojan, is known for stealing credentials and personally identifiable information from users of targeted financial institutions using macro-enabled Office documents as an initial attack mechanism.
The infection chain began with a phishing email with a Microsoft Word document attachment, which when opened, downloaded a password-protected Microsoft Excel file from a remote server, according to the researchers.
The macros, on the other hand, must be activated in the Word document in order to initiate the download.
Word VBA reads the cell contents from the XLS file, develops a new macro for the same XLS file, and writes the cell contents to XLS VBA macros as functions after downloading the XLS file.
The Word document then sets the registry policy to ‘Disable Excel Macro Warning’ and launches the malicious macro function from the Excel file once the macros are written and ready.
The ZLoader payload is now downloaded by the Excel file, which is subsequently executed by rundll32.exe.
Since macro posses a security risk, they are normally blocked by default.
However, this has resulted in threat actors creating convincing social engineering traps to deceive victims into activating them.
Most malware types employ malicious documents as an entry point, and these attacks have evolved their infection strategies and obfuscation over time, including direct payload downloads from VBA and dynamically created agents to download payloads.
According to the researchers, the exploitation of such agents in the infection chain is not restricted to Word or Excel; other threats may download their payloads via other programs.
You might also like: