Sunday, February 9, 2025
HomeCyber Security NewsHackers Uses New Technique to Disable Macro Security To Launch a Weaponized...

Hackers Uses New Technique to Disable Macro Security To Launch a Weaponized MS Office Documents

Published on

SIEM as a Service

Follow Us on Google News

Nowadays the attack rate of phishing campaigns has increased so much, that it’s becoming normal to encounter such attacks. 

Generally, the threat actors of phishing campaigns make use of Microsoft Office documents as their weapon to prompt victims to enable macros so that they can easily target the infection chain.

Day by day the techniques of the threat actors are evolving so that they can evade detection to perform a successful attack. 

The new techniques that are being utilized by the threat actors are using macro obfuscation, DDE, living off the land tools (LOLBAS), and even using legacy-supported XLS formats to execute all their operations.

Recently during a daily investigation, the experts of McAfee Labs have detected a very new method that is being used by the threat actors in phishing campaigns. This method downloads and executes malicious DLLs (Zloader) without any ill-disposed code that represents in the initial spammed attachment macro.

The malware that has been detected by the experts is known as a ZeuS banking trojan, and according to the report, this malware has been noted in the following countries:-

  • The U.S.
  • Canada
  • Spain
  • Japan
  • Malaysia

Infection Chain

The experts came to know about this campaign through an email, that has a document that is presented in Microsoft Word, and whenever someone will open the document and macros are allowed, soon the document will start downloading and then another password-protected Microsoft Excel document pop-ups.

Once the downloads are done, from the XLS the Word VBA starts reading the cell; soon after it produces a new macro for the XLS file. After that, the Word document inserts the policy in the registry so that it can easily Disable Excel Macro Warning.

Word and VBA Macro Analysis

In order to keep it safe, the macros are disabled to operate by default by Microsoft Office, but the hackers are familiar with this, and that’s why they present a fake image to fool the victims so that they will allow the macros.

However, the excel file that is saved in the malicious domain generally produces an Excel application object simply utilizing the CreateObject() function and interpret the string from Combobox-1 of Userform-1 that has the string excel.

Techniques & tactics used by the malware

There are some techniques and tactics that have been used by the malware, and here we have mentioned them below:-

  • E-mail Spear Phishing (T1566.001)
  • Execution (T1059.005)
  • Defense Evasion (T1218.011)
  • Defense Evasion (T1562.001)

The experts are trying to get all the loopholes of this malware, and because of some security affairs, for now, macros are impaired by default in Microsoft Office applications. 

But, after the investigation, the security researchers affirmed that it is safe to allow macros when the document is collected from any reliable authorization.

IOC

TypeValueScannerDetection NameDetection Package Version (V3)
Main Word Document210f12d1282e90aadb532e7e891cbe4f089ef4f3ec0568dc459fb5d546c95eafENSW97M/Downloader.djx4328
Downloaded dllc55a25514c0d860980e5f13b138ae846b36a783a0fdb52041e3a8c6a22c6f5e2ENSZloader-FCVP4327
URL to download XLShxxp://heavenlygem.com/11.phpWebAdvisor BlockedN/A
URL to download dllhxxp://heavenlygem.com/22.php?5PH8ZWebAdvisor BlockedN/A

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

UK Pressures Apple to Create Global Backdoor To Spy on Encrypted iCloud Access

United Kingdom has reportedly ordered Apple to create a backdoor allowing access to all...

Autonomous LLMs Reshaping Pen Testing: Real-World AD Breaches and the Future of Cybersecurity

Large Language Models (LLMs) are transforming penetration testing (pen testing), leveraging their advanced reasoning...

Securing GAI-Driven Semantic Communications: A Novel Defense Against Backdoor Attacks

Semantic communication systems, powered by Generative AI (GAI), are transforming the way information is...

Cybercriminals Target IIS Servers to Spread BadIIS Malware

A recent wave of cyberattacks has revealed the exploitation of Microsoft Internet Information Services...

Supply Chain Attack Prevention

Free Webinar - Supply Chain Attack Prevention

Recent attacks like Polyfill[.]io show how compromised third-party components become backdoors for hackers. PCI DSS 4.0’s Requirement 6.4.3 mandates stricter browser script controls, while Requirement 12.8 focuses on securing third-party providers.

Join Vivekanand Gopalan (VP of Products – Indusface) and Phani Deepak Akella (VP of Marketing – Indusface) as they break down these compliance requirements and share strategies to protect your applications from supply chain attacks.

Discussion points

Meeting PCI DSS 4.0 mandates.
Blocking malicious components and unauthorized JavaScript execution.
PIdentifying attack surfaces from third-party dependencies.
Preventing man-in-the-browser attacks with proactive monitoring.

More like this

UK Pressures Apple to Create Global Backdoor To Spy on Encrypted iCloud Access

United Kingdom has reportedly ordered Apple to create a backdoor allowing access to all...

Autonomous LLMs Reshaping Pen Testing: Real-World AD Breaches and the Future of Cybersecurity

Large Language Models (LLMs) are transforming penetration testing (pen testing), leveraging their advanced reasoning...

Securing GAI-Driven Semantic Communications: A Novel Defense Against Backdoor Attacks

Semantic communication systems, powered by Generative AI (GAI), are transforming the way information is...