Sunday, April 13, 2025
Follow us On Linkedin
HomeMalwareHackers Using Macro-Less Approach to Steal Victims Password Through Office Documents

Hackers Using Macro-Less Approach to Steal Victims Password Through Office Documents

Malware

Published on

By Gurubaran
Hackers Using Macro-Less Approach to Steal Victims Password Through Office Documents

Supply Chain Attack Prevention

SIEM as a Service

Follow Us on Google News

Hackers use macros in Microsoft Office documents to distribute malicious scripts and it will be executed once the user opens the document such as Word, Excel, or PowerPoint.

With Microsoft office, Dynamic Data Exchange(DDE) used to exchange data between application and attackers using this in wild to execute malicious scripts and to compromise victims.

Security researchers From trustwave spotted a new Email spam campaign with the macro-less approach. Instead, they are using Multi-Stage infection process to install the password stealer malware as a final payload in the victim machine.

Email subjects in Spam Campaign

- Advertisement - Google News
TNT STATEMENT OF ACCOUNT – {random numbers}...............
Request for Quotation (RFQ) - <{random numbers}>
Telex Transfer Notification
SWIFT COPY FOR BALANCE PAYMENT

Payload Injection Process – Password Stealer Malware

Once the victim downloads and opens the malicious documents that contain an embedded OLE from their email, it downloads and executes a remote document RTF file.

Password Stealer Malware

The Downloaded RTF file exploits the Vulnerability CVE-2017-11882(Microsoft Office Memory Corruption Vulnerability) that target MS Equation Editor tool.

Also Read New Microsoft Office Vulnerabilities Used to Distribute Zyklon Malware that Creating Backdoor

OnceRTF executed it execute an MSHTA command line which downloads and executes a remote HTA file and the HTA file contains obfuscated VBscripts to download the remote binary file that downloads the final payload Password Stealer Malware.

Password Stealer Malware

The downloaded malware is capable of stealing the password from email, FTP, and browser by concatenating available memory strings.

Researchers said It’s pretty unusual to find so many stages and vectors being used to download malware. Indeed, this approach can be very risky for the malware author.

With the Microsoft January update, they removed some of the functionalities with Equation Editor which fixes this vulnerability.

Last November Microsoft released best security practices on how to safely open Office documents that contain Dynamic Data Exchange and strongly recommends to review the security feature.

IoC

DOCX File
MD5: F7DA16B16567A78C49D998AE85021A0F
SHA1: 776C469861C3AC30AA63D9434449498456864653

RTF File
MD5: 79BCAFD6807332AD2B52C61FE05FFD22
SHA1: 0D8215F88C75CD8FBF2DFAB12D47B520ECE94C52

HTA File
MD5: 11B28D4C555980938FE7440629C6E0EC
SHA1: 0ADD65090EF957AA054236FF6DD59B623509EC8B

Final Payload
MD5: EDB27CC321DF63ED62502C172C172D4F
SHA1: C4AA4E70521DD491C16CE1FBAB2D4D225C41D1EA
Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

cyber security

Threat Actors Manipulate Search Results to Lure Users to Malicious Websites

Cybercriminals are increasingly exploiting search engine optimization (SEO) techniques and paid advertisements to manipulate...
Android

Hackers Imitate Google Chrome Install Page on Google Play to Distribute Android Malware

Cybersecurity experts have unearthed an intricate cyber campaign that leverages deceptive websites posing as...
Cyber Attack

Dangling DNS Attack Allows Hackers to Take Over Organization’s Subdomain

Hackers are exploiting what's known as "Dangling DNS" records to take over corporate subdomains,...
cyber security

HelloKitty Ransomware Returns, Launching Attacks on Windows, Linux, and ESXi Environments

Security researchers and cybersecurity experts have recently uncovered new variants of the notorious HelloKitty...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

Register Now

More like this

Android

Hackers Imitate Google Chrome Install Page on Google Play to Distribute Android Malware

Cybersecurity experts have unearthed an intricate cyber campaign that leverages deceptive websites posing as...
Browser

TROX Stealer Harvests Sensitive Data Including Stored Credit Cards and Browser Credentials

Cybersecurity experts at Sublime have uncovered a complex malware campaign revolving around TROX Stealer,...
cyber security

GOFFEE Deploys PowerModul in Coordinated Strikes on Government and Energy Networks

The threat actor known as GOFFEE has launched a series of targeted attacks against...

GBHackers on Security is a top cybersecurity news platform, delivering up-to-date coverage on breaches, emerging threats, malware, vulnerabilities, and global cyber incidents.

Company

Trending

Categories

Copyright @ 2016 - 2025 GBHackers On Security - All Rights Reserved