Hackers Uses New Technique to Disable Macro Security To Launch a Weaponized MS Office Documents


The U.S.

Recently during an everyday examination, the experts of McAfee Labs have found a brand-new approach that is being utilized by the threat stars in phishing campaigns. This technique downloads and carries out malicious DLLs (Zloader) without any ill-disposed code that represents in the initial spammed accessory macro.

The specialists are attempting to get all the loopholes of this malware, and due to the fact that of some security affairs, in the meantime, macros are impaired by default in Microsoft Office applications..

URL to download XLS.
hxxp:// heavenlygem.com/11.php.

URL to download dll.
hxxp:// heavenlygem.com/22.php?5PH8Z.

Downloaded dll.

Methods & & techniques used by the malware.

Infection Chain.

However, after the examination, the security scientists affirmed that it is safe to allow macros when the file is gathered from any reputable permission.

Main Word Document.
W97M/Downloader. djx.


Usually, the risk actors of phishing campaigns make use of Microsoft Office files as their weapon to trigger victims to enable macros so that they can easily target the infection chain.

The new techniques that are being utilized by the risk stars are utilizing macro obfuscation, DDE, living off the land tools (LOLBAS), and even using legacy-supported XLS formats to carry out all their operations.

You can follow us on Linkedin, Twitter, Facebook for everyday Cybersecurity and hacking news updates.

Detection Name.
Detection Package Version (V3).

Once the downloads are done, from the XLS the Word VBA starts reading the cell; not long after it produces a brand-new macro for the XLS file. After that, the Word document inserts the policy in the windows registry so that it can easily Disable Excel Macro Warning.

Day by day the methods of the risk stars are progressing so that they can avert detection to perform an effective attack..

Nowadays the attack rate of phishing projects has increased a lot, that its ending up being typical to encounter such attacks..

Word and VBA Macro Analysis.

The experts came to know about this campaign through an e-mail, that has a document that is presented in Microsoft Word, and whenever someone will open the file and macros are enabled, quickly the file will begin downloading and after that another password-protected Microsoft Excel document pop-ups.

The stand out file that is saved in the destructive domain generally produces an Excel application item merely making use of the CreateObject() function and translate the string from Combobox-1 of Userform-1 that has the string excel.

In order to keep it safe, the macros are disabled to operate by default by Microsoft Office, but the hackers are familiar with this, and thats why they provide a phony image to fool the victims so that they will allow the macros.

The malware that has actually been spotted by the experts is called a ZeuS banking trojan, and according to the report, this malware has been kept in mind in the following nations:-.

There are some strategies and tactics that have been used by the malware, and here we have mentioned them below:-.

Email Spear Phishing (T1566.001).
Execution (T1059.005).
Defense Evasion (T1218.011).
Defense Evasion (T1562.001).