Office Loader leverages malicious macros to deliver multiple malware

Security researchers at Palo Alto Networks spotted a campaign leveraging Microsoft Office loader using malicious macros to drop multiple malware families.

The researchers analyzed more than 650 unique samples of this specific loader since early December 2016, accounting for 12,000 phishing email targeting numerous industries.

Most affected industries are High Tech, Professional and Legal Services, and Government.

The Office loader is being delivered via spam messages and employs heavily obfuscated malicious macros and a user account control (UAC) bypass technique to infected the target.

“The loader itself is primarily delivered via email and makes use of heavily obfuscated malicious macros as well as a user account control (UAC) bypass technique that was originally discovered in August 2016.” reads the analysis published PaloAlto Networks.

The phishing messages used several malicious documents masqueraded as invoices, product lists, deposit slips, or document scans, and more.

The Office loader was used to drop several malware such as LuminosityLink, KeyBase, PredatorPain, Ancalog, Bartalex, Pony, and DarkComet.

“Based on the large amount of commodity malware families being dropped, as well as the wide distribution seen, this loader appears to primarily be used for widespread campaigns.” continues the analysis.

According to the experts, threat actor behind the campaign may have used a builder to generate the malicious macros that have been obfuscated with a large amount of garbage code and randomly chosen variables. The second part of the malicious macro includes also obfuscated strings and a number of strings written to the Word document.

The first half of the macro includes a function to decode the obfuscated strings.

“In the second half of the macro, we see a garbage code, a number of obfuscated strings, as well as a number of strings that are written to the Word document. These strings are in-line with the ploy being used by the attacker based on the witnessed subject line and filename.” reads the analysis.

“This function will download a file via PowerShell and drop it within the %TEMP% directory. It then sets a specific registry key to point to this newly dropped file. Finally, it will execute the built-in eventvwr.exe process, sleep for roughly 15 seconds by performing a ping against the localhost 15 times, and removes the executes the dropped file. The registry key write and execution of eventvwr.exe is a UAC bypass technique that was first discussed here. “

The experts noticed that a small number of samples used the built-in BITSAdmin tool instead of PowerShell to download the malware.

“Overall, this new loader is interesting in its use of performing a UAC bypass. Additionally, the widespread use of this loader since December of last year shows that it is being used in numerous campaigns.” concluded PaloAlto Networks. “It is unclear if this loader is being used by one or more groups. Multiple industries have been targeted by this loader, which has been used to deploy multiple malware families.” 

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – Office Loader, malware)