Search the Community

Apparently harmless document files that contain a malicious macro are commonly used by cybercriminals to distribute malware. However, malicious actors continue to improve their methods in an effort to evade detection. Security researcher Bart Blaze has come across a bogus invoice spam email apparently containing a Microsoft Word document (.doc). When the document is opened, if macros are not enabled, the user is instructed to enable macros in order to view the content. Once macros are enabled, the victim is presented with an image, while in the background a piece of malware is downloaded onto the computer. It’s worth noting that macros are disabled by default in Microsoft Office. Attaching malicious macros to documents is not uncommon, but the sample analyzed by Blaze is a bit different. The document is actually an MHTML, or a Multi-Purpose Internet Mail Extension (MIME) HTML file. MHTML (.mht) is a web page archive format used to combine HTML code and other resources (e.g. images, Java applets and Flash animations) in a single document. The malicious MHTML file contains an MSO object, which in turn contains an OLE object. When the file is launched, a VBS file is downloaded from Pastebin and executed. The VBS file is designed to download and execute a Trojan downloader, which in turn downloads a piece of malware. VirusTotal links provided by Blaze suggest that the final payload is a banking Trojan. The expert told SecurityWeek that the threat is very likely the notorious Dyre. The researcher has noted that attackers can build such malicious documents by creating an MHT file, appending the MSO object at the end, and renaming the resulting file with a .doc extension. The developer of olevba, a tool designed for the analysis of malicious macros hidden inside Microsoft Office documents, has pointed out that there is an even easier method. Cybercriminals can open a Word document with macros, save it as an MHTML from Word, and rename the file extension from .mht to .doc. Belgium-based researcher Didier Stevens, the developer of the OLE file analysis tool oledump, noted in a blog post that MSO files containing OLE files were previously seen in March, when cybercriminals were using XML Office documents to distribute the Dridex financial malware. “It seems obvious that malware authors are keeping up-to-date with the latest news and as such adapting their campaigns as well. Better be safe than sorry and don't trust anything sent via email,” Blaze advised in his blog post. “If you're in an organisation, you might want to consider blocking the execution of all macros (or only the ones that are digitally signed) by using GPO.” Sursa

Not long ago, criminals pushing the Dridex banking Trojan were using Microsoft Excel documents spiked with a malicious macro as a phishing lure to entice victims to load the malware onto their machines. Even though macros are disabled by default inside most organizations, the persistent hackers are still at it, this time using XML files as a lure. Researchers at Trustwave today said that over the past few days, several hundred messages have been corralled that are trying to exploit users’ trust in Office documents with some clever social engineering thrown into the mix in an attempt to convince users to enable macros and thus download the banking malware onto their machines. The XML files are passed off as “remittance advice,” or payment notifications, with the hopes that some users will believe it’s an innocent text file and execute the malicious code. “XML files are the old binary format for Office docs and once you double click them to open, the file associated with Microsoft Word and opens,” said Karl Sigler, Trustwave threat intelligence manager. The malicious macro is compressed and Base64 encoded in order to slide through detection technology, Sigler said, adding that the attackers have also included a pop-up with instructions for the user on how to enable macros with language that stresses macros must be enabled for the invoice to viewed properly or to ensure proper security. “Which is the exact opposite of what this does,” Sigler said. “It doesn’t seem to be all that sophisticated. They’re either trying to capitalize on a user’s trust in XML files, or the fact that a user may not be that familiar with what that extension is.” If the user does follow through and execute the malware, Dridex behaves like most banking Trojans. It sits waiting for a user to visiting an online banking site and then injects code onto the bank site in order to capture the user’s credentials for their online account. Sigler said this is the first time they’ve spotted XML docs used as a lure. As for macros, they’ve been disabled by default since Office 2007 was released. “Sometimes in large organizations, local administrators have the ability to enable macros,” Sigler said. “Some organizations use them quite a bit, but it’s not common. Most people leave the default settings. It’s hard to say why these guys moved to XML. It could be that they’re looking for a new attack vector and they weren’t getting good click-through rates with the Excel documents. Maybe they were not getting people to enable macros the way they hoped and they’re looking for a way to better their success rate.” Dridex is a descendent of Cridex and is in the GameOver Zeus family. GameOver Zeus has been used for years to great profit, particularly through wire fraud. It used a peer-to-peer architecture to spread and send stolen goods, opting to forgo a centralized command-and-control. P2P and domain generation algorithm techniques make botnet takedowns difficult and extend the lifespan of such malware schemes. The previous Dridex campaign targeted U.K. banking customers with spam messages spoofing popular companies either based or active in the U.K. Separate spam spikes using macros started in October and continued right through mid-December; messages contained malicious attachments claiming to be invoices from a number of sources, including shipping companies, retailers, software companies, financial institutions and others. Source