Microsoft warns of malicious macros using a new sneaky trick

Pierluigi Paganini May 22, 2016

Researchers at the Microsoft’s Malware Protection Center are warning of a new wave of attacks leveraging malicious macros using a new sneaky trick.

Researchers at Microsoft’s Malware Protection Center are warning of a new technique attackers are using to allow macro malware elude detection solutions.

The experts first spotted the technique while analyzing a file containing VBA project scripts with a sample of the well-known TrojanDownloader:O97M/Donoff.

The experts confirmed that it is the first time they have seen this obfuscation technique.

The experts were initially deceived by the macro used by the threat actors.

“We recently came across a file containing a VBA project that scripts a malicious macro.” reads a blog post from Microsoft. “However, there wasn’t an immediate, obvious identification that this file was actually malicious. It’s a Word file that contains seven VBA modules and a VBA user form with a few buttons (using the CommandButton elements).”

VBA malware macros form

The VBA modules appeared harmless, the experts haven’t found evidence of malicious code, except for a strange string in the Caption field for CommandButton3 in the user form.

“However, after further investigation we noticed a strange string in the Caption field for CommandButton3 in the user form. It appeared to be some sort of encrypted string.” continues the post. “We went back and reviewed the other modules in the file, and sure enough – there’s something unusual going on in Module2. A macro there (UsariosConectados) decrypts the string in the Caption field for CommandButton3, which turns out to be a URL. It uses the deaultautoopen() macro to run the entire VBA project when the document is opened.”

The threat actors have hidden commands in the name of a macro button. When the macro is executed it decrypts the string in order to retrieve the URL from which to download a malicious payload.

“The macro will connect to the URL (hxxp://clickcomunicacion.es/<uniqueid>) to download a payload which we detect as Ransom:Win32/Locky (SHA1: b91daa9b78720acb2f008048f5844d8f1649a5c4).”

This is the first time that threat actors used this technique in the wild.

Exactly one year ago, experts from Microsoft launched an alert on macro attacks after observing a major spike in the volume of malware using macros since the beginning of the year.

Microsoft suggests the reading of the threat intelligence report on macros for further information on preventing and recovering from macro attacks.

If you appreciate my effort in spreading cyber security awareness, please vote for Security Affairs as best European Security Blog. Vote SecurityAffairs in every section it is reported. I’m one of the finalists and I want to demonstrate that the Security Affairs community a great reality.

https://www.surveymonkey.com/r/secbloggerwards2016

Thank you

Pierluigi

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – malicious macros, malware)



you might also like

leave a comment