The Microsoft Malware Protection Center says there has been a dramatic increase in threats using macros to spread malware via spam and social engineering over the last month.
Macros are used for automating frequently used tasks in Office. Macro-related infections were constant and near zero daily up until Dec. 4. Infections spiked in mid-December, peaking at just fewer than 8,000 detections on Dec. 17. Infections had fallen since Microsoft moved to disable macros by default.
NOTE: By default, the macros in Microsoft Office are set as ‘Disable all macros with notification’. Until they are manually enabled, the malware code cannot run.
Thus far, Microsoft has observed two trojans disseminated in this campaign: TrojanDownloader:W97/Adnel and TrojanDownloader:O97M/Tarbir. Each is a downloader capable of installing software, including malware, on the machines it infects.
The Adnel variety is said to be a malicious macro that can be embedded int0 a Microsoft Office file. If opened, Microsoft should issue a warning about enabling macros. If a user chooses to or already has macros enabled, then the malicious code runs. The attackers have dispersed Adnel as malicious .doc and .xls files.
“Upon opening the Microsoft Office file (in this case a Word document), a user will be prompted to enable macros,” the Microsoft Malware Protection Center warned. “By default, the macros in Microsoft Office are set as ‘Disable all macros with notification’. Until they are manually enabled, the malware code cannot run.”
The campaign is targeting users primarily in the United States and the United Kingdom, who have experienced just fewer than and greater than 10,000 detections, respectively. Microsoft has observed other detections in France, Japan, Australia, India, South Africa, Canada, Italy and Germany, though each has far fewer than 1,000 detections.
On the victim’s end, users should look out for the following email subject lines: ACH Transaction Report, Doc-file for report is ready, Invoice as required, Invoice – P97291, Order – Y24383, Payment Details, Remittance Advice from Engineering Solutions Ltd and Your Automated Clearing House Transaction Has Been Put Out.
Malicious attachments deployed in the attack include: 20140918_122519.doc, 813536MY.xls, ACH Transfer 0084.doc, Automated Clearing House transfer 4995.doc, BAC474047MZ.xls, BILLING DETAILS 4905.doc, CAR014 151239.doc, ID_2542Z.xls, Fuel bill.doc, ORDER DETAILS 9650.doc, Payment Advice 593016.doc, SHIPPING DETAILS 1181.doc, SHIP INVOICE 1677.doc and SHIPPING NO.doc.
Wednesday, February 18, 2015