While it’s a norm for phishing campaigns that distribute weaponized Microsoft Office documents to prompt victims to enable macros in order to trigger the infection chain in the background, new findings indicate that macro security warnings can be disabled entirely without requiring any user interaction.
In yet another instance of malware authors continue to evolve their techniques to evade detection, researchers from McAfee Labs stumbled upon a novel tactic that “downloads and executes malicious DLLs (ZLoader) without any malicious code present in the initial spammed attachment macro.”
ZLoader infections propagated using this mechanism have been primarily reported in the U.S., Canada, Spain, Japan, and Malaysia, McAfee noted. The malware — a descendant of the infamous ZeuS banking trojan — is well known for aggressively using macro-enabled Office documents as an initial attack vector to steal credentials and personally identifiable information from users of targeted financial institutions.
In investigating the intrusions, the researchers found that the infection chain started with a phishing email containing a Microsoft Word document attachment that, when opened, downloaded a password-protected Microsoft Excel file from a remote server.
“After downloading the XLS file, the Word VBA reads the cell contents from XLS and creates a new macro for the same XLS file and writes the cell contents to XLS VBA macros as functions,” the researchers said. “Once the macros are written and ready, the Word document sets the policy in the registry to ‘Disable Excel Macro Warning’ and invokes the malicious macro function from the Excel file. The Excel file now downloads the Zloader payload. The Zloader payload is then executed using rundll32.exe.”
Given the “significant security risk” posed by macros, the feature is usually disabled by default, thereby prompting threat actors to display a convincing lure to trick victims into enabling them. By turning off the security warning presented to the user, the attacks are noteworthy because of the steps it takes to thwart detection and stay under the radar.
“Malicious documents have been an entry point for most malware families and these attacks have been evolving their infection techniques and obfuscation, not just limiting to direct downloads of payload from VBA, but creating agents dynamically to download payloads,” the researchers said. “Usage of such agents in the infection chain is not only limited to Word or Excel, but further threats may use other living off the land tools to download its payloads.”