Posted on June 25, 2019 at 2:51 PM
Microsoft Warns Users Not to Enable Macros, or They Could Be Hit by Malware
Malware threats are becoming more and more of an issue with each passing year. The threat seems to be evolving at a rapid pace, with hackers constantly developing new, more advanced forms of malicious software that spreads in any way it can find. The innovative ways of spreading and infecting internet users are eventually being discovered, but the lack of awareness may cause many to end up being infected, even if their devices are fully patched.
According to Microsoft, there is currently a new Windows malware that is spread via excel in email with bad macro. Because of that, Microsoft warned users, urging them not to enable macros at all until the new cybercampaign that relies on Office features is dealt with.
Malware misuses built-in features to spread
Considering the popularity of Microsoft Office applications around the world, it is clear why hackers focused their efforts on creating malware that could misuse these features for spreading. Unfortunately, some of the most favorite tools are now compromised and could infect mass amounts of Windows PCs, despite the fact that they could be fully patched and protected.
The only way for Microsoft to protect its users was to raise awareness and warn them of the new threat, and so the company warned against using Office. Earlier this month, the tech giant said that attackers are firing spam that exploits a flaw in Office, which results in the installation of a trojan. It was also discovered that the bug means that attackers do not need users to enable macros in the first place.
But, according to the new information, there is now a new malware campaign that takes the opposite approach and uses the macro function in Excel to compromise devices. In other words, there is no specific vulnerability that can be patched — it is exploiting a legitimate feature in an Excel attachment.
How does the attack work?
As reported by the company’s Security Intelligence team, this new campaign uses a complex infection chain in order to download and run what is known as FlawedAmmyy. This is a remote-access trojan, or RAT, which gets released directly into the infected PC’s memory. This is not a new RAT, and it was used many times in the past, mostly against businesses in the retail and finance industries.
According to Proofpoint, a well-known security firm, it is likely that the hacking group responsible for the attack is TA505. This is a group that often relies on Microsoft attachments, as well as social engineering to infect the systems of others.
Experts also explained the attack, noting that it starts with an email and Excel or .xls attachment. This is the kind of attachment that Microsoft warns people not to open under any circumstances. However, in cases where the attachment does get opened, the file will start running a macro function which runs msiexec.exe, which will then download an MSI archive.
After that, the MSI archive extracts a digitally signed executable contained within, and runs it. This executable decrypts and runs another executable in the device’s memory. All of this allows malware to avoid detection, even if users have a fully-updated antivirus. But, that is not the end of the process either, as the malicious executable then downloads a file called wsus.exe, which is then decrypted.
This file is designed to look like Microsoft Windows Service Update Service, or WSUS. The file then decrypts the payload in RAM, and FlawedAmmyy payload is delivered.
Malware targeting Korean users
So far, it appears that the attack is mostly targeting Korean-speakers, which was deduced due to the fact that attachment includes characters from Korean language. Meanwhile, Microsoft is investing in the infrastructure of its Windows Defender, hoping to improve the built-in antivirus and make it a better obstacle for malware.
Another security company, TrendMicro, recently pointed out that TA505 appears to be targeting Windows users in a few specific locations, including China, Taiwan, Chile, Mexico, and South Korea, which confirms that the malware might only be meant for South Koreans at this time. However, if TrendMicro is right, it is possible that Windows users in other specified areas might start experiencing similar issues in the near future.