Researchers at Microsoft’s Malware Protection Center are warning of a new technique attackers are using to allow macro malware elude detection solutions.
The experts first spotted the technique while analyzing a file containing VBA project scripts with a sample of the well-known TrojanDownloader:O97M/Donoff.
The experts confirmed that it is the first time they have seen this obfuscation technique.
The experts were initially deceived by the macro used by the threat actors.
“We recently came across a file containing a VBA project that scripts a malicious macro.” reads a blog post from Microsoft. “However, there wasn’t an immediate, obvious identification that this file was actually malicious. It’s a Word file that contains seven VBA modules and a VBA user form with a few buttons (using the CommandButton elements).”
The VBA modules appeared harmless, the experts haven’t found evidence of malicious code, except for a strange string in the Caption field for CommandButton3 in the user form.
“However, after further investigation we noticed a strange string in the Caption field for CommandButton3 in the user form. It appeared to be some sort of encrypted string.” continues the post. “We went back and reviewed the other modules in the file, and sure enough – there’s something unusual going on in Module2. A macro there (UsariosConectados) decrypts the string in the Caption field for CommandButton3, which turns out to be a URL. It uses the deaultautoopen() macro to run the entire VBA project when the document is opened.”
The threat actors have hidden commands in the name of a macro button. When the macro is executed it decrypts the string in order to retrieve the URL from which to download a malicious payload.
“The macro will connect to the URL (hxxp://clickcomunicacion.es/<uniqueid>) to download a payload which we detect as Ransom:Win32/Locky (SHA1: b91daa9b78720acb2f008048f5844d8f1649a5c4).”
This is the first time that threat actors used this technique in the wild.
Exactly one year ago, experts from Microsoft launched an alert on macro attacks after observing a major spike in the volume of malware using macros since the beginning of the year.
Microsoft suggests the reading of the threat intelligence report on macros for further information on preventing and recovering from macro attacks.
If you appreciate my effort in spreading cyber security awareness, please vote for Security Affairs as best European Security Blog. Vote SecurityAffairs in every section it is reported. I’m one of the finalists and I want to demonstrate that the Security Affairs community a great reality.
(Security Affairs – malicious macros, malware)
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.