The Microsoft Malware Protection Center says there has been a dramatic increase in threats using macros to spread malware via spam and social engineering over the last month.

Macros are used for automating frequently used tasks in Office. Macro-related infections were constant and near zero daily up until Dec. 4. Infections spiked in mid-December, peaking at just fewer than 8,000 detections on Dec. 17. Infections had fallen since Microsoft moved to disable macros by default.

However, the first phase of the attack involves a social engineering scheme designed to trick users into enabling macros on their machines. First the user receives a finance-themed spam email with a malicious attachment masquerading as a Microsoft Office document. The attachment is, in reality, a ploy to get the user to enable macros by default. When and if the user enables macros, it executes and downloads its payload, which is one of two separate Trojan downloaders.

NOTE: By default, the macros in Microsoft Office are set as ‘Disable all macros with notification’. Until they are manually enabled, the malware code cannot run.

Thus far, Microsoft has observed two trojans disseminated in this campaign: TrojanDownloader:W97/Adnel and TrojanDownloader:O97M/Tarbir. Each is a downloader capable of installing software, including malware, on the machines it infects.

The Adnel variety is said to be a malicious macro that can be embedded int0 a Microsoft Office file. If opened, Microsoft should issue a warning about enabling macros. If a user chooses to or already has macros enabled, then the malicious code runs. The attackers have dispersed Adnel as malicious .doc and .xls files.

“Upon opening the Microsoft Office file (in this case a Word document), a user will be prompted to enable macros,” the Microsoft Malware Protection Center warned. “By default, the macros in Microsoft Office are set as ‘Disable all macros with notification’. Until they are manually enabled, the malware code cannot run.”

The campaign is targeting users primarily in the United States and the United Kingdom, who have experienced just fewer than and greater than 10,000 detections, respectively. Microsoft has observed other detections in France, Japan, Australia, India, South Africa, Canada, Italy and Germany, though each has far fewer than 1,000 detections.

On the victim’s end, users should look out for the following email subject lines: ACH Transaction Report, Doc-file for report is ready, Invoice as required, Invoice – P97291, Order – Y24383, Payment Details, Remittance Advice from Engineering Solutions Ltd and Your Automated Clearing House Transaction Has Been  Put Out.

Malicious attachments deployed in the attack include: 20140918_122519.doc, 813536MY.xls, ACH Transfer 0084.doc, Automated Clearing House transfer 4995.doc, BAC474047MZ.xls, BILLING DETAILS 4905.doc, CAR014 151239.doc, ID_2542Z.xls, Fuel bill.doc, ORDER DETAILS 9650.doc, Payment Advice 593016.doc, SHIPPING DETAILS 1181.doc, SHIP INVOICE 1677.doc and SHIPPING NO.doc.

Wednesday, February 18, 2015

« Back