Researchers have found that the hackers are using a new attack technique in phishing campaigns in which they use non-malicious documents to disable Macro security warnings before executing macro code on targeted computers.
The researchers from McAfee Labs found that in order to evade detection, the new technique involves downloading and executing malicious DLLs (ZLoader) without any malicious code present in the initial spammed attachment macro.
ZLoader infections propagated using this technique was primarily reported in the U.S., Canada, Spain, Japan, and Malaysia. The malware — a descendant of the infamous ZeuS banking trojan is popular for using macro-enabled Office documents as an initial attack vector to steal credentials and personally identifiable information from users of targeted financial institutions.
While investigating the intrusions, the researchers found that the infection chain started with a phishing email containing a Microsoft Word document attachment which when opened, downloaded a password-protected Microsoft Excel file from a remote server. The macros however need to be enabled in the Word document to trigger the download itself.
After downloading the XLS file, the Word VBA reads the cell contents from XLS and creates a new macro for the same XLS file and writes the cell contents to XLS VBA macros as functions. Once the macros are written and ready, the Word document sets the policy in the registry to ‘Disable Excel Macro Warning’ and invokes the malicious macro function from the Excel file. The Excel file now downloads the ZLoader payload which is then executed using rundll32.exe.
Due to the security risk posed by macros, the feature is usually disabled by default, but this has had an unfortunate side-effect of threat actors crafting convincing social engineering lures to trick victims into enabling them.
The threat actors usually use malicious documents as an entry point for most malware families and these attacks are ever since evolving their infection techniques and obfuscation which includes direct downloads of payload from VBA and creating agents dynamically to download payloads.
The researchers stated that using such agents in the infection chain is not only limited to Word or Excel, but further threats may use other tools to download its payloads.