10 July 21, 07:56
Quote:Legacy users of Microsoft Excel are being targeted in a malware campaign that uses a novel malware-obfuscation technique to disable Office defenses and deliver the Zloader trojan.
The attack, according to research published Thursday by McAfee, marries functions in Microsoft Office Word and Excel to work together to download the Zloader payload, without triggering an alert warning for end users of the malicious attack.
Zloader is a banking trojan designed to steal credentials and other private information from users of targeted financial institutions.
The initial attack vector is inbox-based phishing messages with Word document attachments that contain no malicious code. Thus, it wouldn’t typically trigger an email gateway or client-side antivirus software to block the attack.
The macro-obfuscation technique meanwhile leverages both Microsoft Office’s Excel dynamic data exchange (DDE) fields and Windows-based Visual Basic for Applications (VBA) to launch attacks against systems that support legacy XLS formats.
“The malware arrives through a phishing email containing a Microsoft Word document as an attachment. When the document is opened and macros are enabled, the Word document, in turn, downloads and opens another password-protected Microsoft Excel document,” researchers wrote.
Next, VBA-based instruction embedded in the Word document reads a specially crafted Excel spreadsheet cell to create a macro. That macro populates an additional cell in the same XLS document with an additional VBA macro, which disables Office defenses.
“Once the macros are written and ready, the Word document sets the policy in the registry to ‘Disable Excel Macro Warning,’ and invokes the malicious macro function from the Excel file. The Excel file now downloads the Zloader payload. The Zloader payload is then executed using rundll32.exe,” researchers said.
Read more: Microsoft Office Users Face Malware-Protection Bypass | Threatpost