Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Microsoft warns of malicious macros using a new sneaky trick

Researchers at the Microsoft’s Malware Protection Center are warning of a new wave of attacks leveraging malicious macros using a new sneaky trick. Researchers at Microsoft’s Malware Protection Center are warning of a new technique attackers are using to allow macro malware elude detection solutions. The experts first spotted the technique while analyzing a file […]

Microsoft warns of malicious macros using a new sneaky trick

Researchers at the Microsoft’s Malware Protection Center are warning of a new wave of attacks leveraging malicious macros using a new sneaky trick.

Researchers at Microsoft’s Malware Protection Center are warning of a new technique attackers are using to allow macro malware elude detection solutions.

The experts first spotted the technique while analyzing a file containing VBA project scripts with a sample of the well-known TrojanDownloader:O97M/Donoff.

The experts confirmed that it is the first time they have seen this obfuscation technique.

The experts were initially deceived by the macro used by the threat actors.

“We recently came across a file containing a VBA project that scripts a malicious macro.” reads a blog post from Microsoft. “However, there wasn’t an immediate, obvious identification that this file was actually malicious. It’s a Word file that contains seven VBA modules and a VBA user form with a few buttons (using the CommandButton elements).”

VBA malware macros form

The VBA modules appeared harmless, the experts haven’t found evidence of malicious code, except for a strange string in the Caption field for CommandButton3 in the user form.

“However, after further investigation we noticed a strange string in the Caption field for CommandButton3 in the user form. It appeared to be some sort of encrypted string.” continues the post. “We went back and reviewed the other modules in the file, and sure enough – there’s something unusual going on in Module2. A macro there (UsariosConectados) decrypts the string in the Caption field for CommandButton3, which turns out to be a URL. It uses the deaultautoopen() macro to run the entire VBA project when the document is opened.”

The threat actors have hidden commands in the name of a macro button. When the macro is executed it decrypts the string in order to retrieve the URL from which to download a malicious payload.

“The macro will connect to the URL (hxxp://clickcomunicacion.es/<uniqueid>) to download a payload which we detect as Ransom:Win32/Locky (SHA1: b91daa9b78720acb2f008048f5844d8f1649a5c4).”

This is the first time that threat actors used this technique in the wild.

Exactly one year ago, experts from Microsoft launched an alert on macro attacks after observing a major spike in the volume of malware using macros since the beginning of the year.

Microsoft suggests the reading of the threat intelligence report on macros for further information on preventing and recovering from macro attacks.

If you appreciate my effort in spreading cyber security awareness, please vote for Security Affairs as best European Security Blog. Vote SecurityAffairs in every section it is reported. I’m one of the finalists and I want to demonstrate that the Security Affairs community a great reality.

https://www.surveymonkey.com/r/secbloggerwards2016

Thank you

Pierluigi

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – malicious macros, malware)