Malware Melds Macros

Friday, May 1, 2015 @ 05:05 PM gHale


Here is a quiz: What do Microsoft Word documents, malicious macros and PDF files have in common?

Answer: A new way to use one item to deliver malware to victims.

RELATED STORIES
Attack Trend: Fileless Malware
Ransomware Focuses on Outdated Plug-Ins
Malware Goes Invisible
New Ransomware Hits the Street

The technique consists of delivering threats via email messages that lead the recipient to an executable file pretending to be a harmless text document or by lacing Word documents with a macro script that downloads the malware, said researchers at Avast.

The latter method has evolved and now embeds the Word document into a PDF, which is what the potential victim sees in the message, said security researchers at Avast.

Used as a banking threat, this application does have potential to reach across various industries.

In this case, victims receive an email claiming to deliver details of a financial nature enclosed in an attached PDF. However, the Adobe document has a JavaScript code and the DOC file containing the macro that holds the bad code.

When the user launches the “innocent” PDF, the JavaScript drops and executes the DOC. Users still have to activate support for macros, though.

“Inside the DOC file we found malicious macro code, which users must activate, as the code is disabled by Microsoft Office by default. The code obfuscates DOC files by creating new documents with unique methods names, variable names, and URLs, making it difficult to detect the malicious files,” said Jan Širmer from Avast in a blog post.

During the analysis of the macro, the researchers found it connected to URLs that were unique for each sample of the malware, a variant of Dridex banking Trojan that evolved from the Zeus line.

The purpose is to steal credentials for accessing banking accounts, as well as logins for Google and Microsoft services. Among the targeted banks are Santander, which operates in the Northeastern part of the United States, and Ulster, a financial institution from Ireland.

The top recommendation from the researchers is to run only the latest versions of software products on the computer. Additionally, users should pay attention to suspicious-looking emails coming from unknown sources. In the case of messages claiming to contain financial information, the sender should end up verified before opening any documents.



Leave a Reply

You must be logged in to post a comment.