Microsoft Office Targeted By New Malware
Older versions of Microsoft Excel are being targeted in a malware campaign that uses a new obfuscation technique to disable Office defenses and deliver the Zloader trojan. According to research published by McAfee, the attack uses functions in Microsoft Word and Excel to work together to download the Zloader payload, without any warning for end users of the malicious code. Zloader is a banking trojan used to steal credentials and other private information from users.
The attack starts with phishing messages with Word document attachments that contain no malicious code. This does't typically trigger an email gateway or client-side antivirus software to block the attack. The macro-obfuscation technique leverages both Microsoft Excel's dynamic data exchange ( DDE ) fields and Windows-based Visual Basic for Applications ( VBA ) to launch attacks against systems that support legacy XLS formats. When the document is opened and macros are enabled, the Word document, downloads and opens another password-protected Microsoft Excel document.
Next, the VBA-based instruction embedded in the Word document reads an Excel spreadsheet cell to create a macro. That macro populates an additional cell in the same XLS document with an additional VBA macro, which disables Office defenses. Once the macros are written, the Word document sets the policy in the registry to Disable Excel Macro Warning and invokes the malicious macro function from the Excel file. The Excel file now downloads the Zloader payload. The Zloader payload is then executed using rundll32.exe.
Because Microsoft Office automatically disables macros, the hackers try to trick recipients of the email to enable them with a message appearing inside the Word document. The document is created in a previous version of Microsoft Word. In order to view or edit the document, users must click Enable editing button on the top bar, and then click Enable content. Once the users enable editing and content, the malware leverages DDE and VBA to infect the machine.
The authors brings up a warning to enable editing and content by embedding instructions in the Word document to extract the contents from the Excel cells. Next, the parent Word file creates a new VBA module in the downloaded Excel file by writing the retrieved contents. Once the Excel macro is created and ready to execute, the script will modify the Windows' registry to disable trust access for VBA on the infected machine. This allows the script to execute functions seamlessly without any Microsoft Office warnings. After disabling the trust access, a new Excel VBA is created and executed which starts downloading Zloader.
Malicious documents have been used for many malware attacks and these attacks have been evolving their techniques not just limiting to direct downloads of payload from VBA, but by creating agents dynamically to download payload. Only enable macros when the document received is from a trusted source.