New Malware Targets U.S., UK

Thursday, January 8, 2015 @ 02:01 PM gHale

Two pieces of malware are hitting the U.S. and the UK through email campaigns that rely on social engineering to get users into enabling macros in their Microsoft Office programs.

The macros are instructions designed to help users in their work with components of the Office suite by allowing them to automate repetitive tasks. Cybercriminals have also seen the advantages of these scripts and relied on them to deliver malware.

Android Malware Packaged with HTML5 Apps
Mobile RAT Targets iOS, Android
Domain Names Seized
Trojan Variant Uses Grammar Tool

Microsoft understands the risk potential of macros and turned off the option by default a long time ago; but even so, cybercriminals still rely on this method of distribution, resorting to social engineering to have the feature enabled by the victim.

The security researchers with the company noticed two email campaigns delivering malware downloaders Adnel and Tarbir this way.

“These recent campaigns are one example of an increasing trend of macro malware targeting home users and enterprise customers. These threats predominantly target our customers in the US and UK,” Microsoft’s Alden Pornasdoro said in a blog post.

Although the two threats ended up detected in several countries across the globe through the month of December, infections were predominant in the United Kingdom (about 11,000 compromised computers) and the United States (almost 10,000 infections).

Other countries where researchers found compromises are France, Japan, Australia, India, South Africa, Canada, Italy and Germany.

The malware is in email attachments claiming to be financial documents of different sorts, from fake invoices and transaction reports to orders or payment details in DOC and XLS formats.

When launched, the file opens in Microsoft Word or Excel and instructs the victim to turn on macros manually in order to access the information included. The bad guys attempt to convince potential victims by saying the document ended up created with a newer version of Office and he or she needs to enable the macros. The malware will not execute if the victim does not enable the macros.

“The combination of the instructional document, spam email with supposed monetary content, and a seemingly relevant file name, can be enough to convince an unsuspecting user to click the Enable Content button,” Pornasdoro said in the post.

The macro proceeds to download other malware pieces, including one detected by Microsoft security programs as Drixed. Bad guys use this malware to funnel in other threats, such as Ursnif, which can steal passwords available on the system.

Leave a Reply

You must be logged in to post a comment.