Saturday, January 18, 2025
HomeTHREATSHackers Distributing Malicious RTF Excel Sheets Document and Installing RAT using VBA...

Hackers Distributing Malicious RTF Excel Sheets Document and Installing RAT using VBA Macro code

Published on

SIEM as a Service

Follow Us on Google News

A recently discovered RTF documents that contain malicious VBA Macro code distributing to infect the windows users with dangerous Remote access Trojan ( RAT ). NetwiredRC and Quasar.

NetWiredRC and  Quasar is a remote access Trojan that used by cyber-criminals to gain complete control of victim’s computer remotely.

Malware authors always finding a unique way to distributing and execute the malware using various social engineering method via malicious documents.

Both Remote access Trojan capable of performing various malicious operations such as remote webcam, remote shell and keylogging.

In this scenario, both critical RAT has dropped by macro contain malicious RTF documents with Excel sheets.

Recent days macro enabled malicious documents based malware attacks are widely discovered and getting into large number victims since the Microsoft documents are mainly used platform for the organization as well as individuals for various operations.

Also Read:  Mirai Based Botnet “OMG” Turns IoT Device into a Proxy Server

RAT Infection Flow with VBA Macro Code

Initially, the Malicious  RTF document spreading via social engineering campaign which consists of Macro Excel sheets.

Once a user clicks the  RTF Document, embedded macro repeatedly showing the popup and forcing users to enable the Macros.

In this case, there is no way to stop the popups excepts to click and force stop the whole documents and macro warning popup 1o times because it contains 10 excel documents.

Infection Flow

Malware author used a method called “\objupdate” control in embedded excel sheet that helps to execute the Macro code during the RTF document loaded and this method was abused the CVE-2017-0199, but it is not used in this worst-case scenario.

According to zscaler Reseachers, We observed two variations of the malicious macro in this campaign (see Fig. 5). Although the macro code is identical, it is executing the PowerShell command to download intermediate payloads using Schtasks and cmd.exe.

Later Powershell downloads a malicious VBS Script and executes it the final payload that NetwiredRC and QusarRat.

The malware also permanently enables macros for Word, PowerPoint, and Excel by doing registry modification and disable the protected view settings.

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Hackers Easily Bypass Active Directory Group Policy to Allow Vulnerable NTLMv1 Auth Protocol

Researchers have discovered a critical flaw in Active Directory’s NTLMv1 mitigation strategy, where misconfigured...

AWS Warns of Multiple Vulnerabilities in Amazon WorkSpaces, Amazon AppStream 2.0, & Amazon DCV

Amazon Web Services (AWS) has issued a critical security advisory highlighting vulnerabilities in specific...

FlowerStorm PaaS Platform Attacking Microsoft Users With Fake Login Pages

Rockstar2FA is a PaaS kit that mimics the legitimate credential-request behavior of cloud/SaaS platforms....

New Tool Unveiled to Scan Hacking Content on Telegram

A Russian software developer, aided by the National Technology Initiative, has introduced a groundbreaking...

API Security Webinar

Free Webinar - DevSecOps Hacks

By embedding security into your CI/CD workflows, you can shift left, streamline your DevSecOps processes, and release secure applications faster—all while saving time and resources.

In this webinar, join Phani Deepak Akella ( VP of Marketing ) and Karthik Krishnamoorthy (CTO), Indusface as they explores best practices for integrating application security into your CI/CD workflows using tools like Jenkins and Jira.

Discussion points

Automate security scans as part of the CI/CD pipeline.
Get real-time, actionable insights into vulnerabilities.
Prioritize and track fixes directly in Jira, enhancing collaboration.
Reduce risks and costs by addressing vulnerabilities pre-production.

More like this

Hackers Exploiting Fortinet Zero-day Vulnerability In Wild To Gain Super-Admin Privileges

A critical zero-day vulnerability in Fortinet's FortiOS and FortiProxy products is being actively exploited...

Critical SAP NetWeaver Flaws Let Hackers Gain System Access

SAP has released its January 2025 Security Patch Day updates, addressing 14 new vulnerabilities,...

Microsoft January 2025 Patch Tuesday Comes with Fix for 159 Vulnerabilities

Microsoft's January 2025 Patch Tuesday has arrived with a significant security update, addressing a...