Barkly security experts have recently uncovered a new piece of Macro-based malware which is growing into a complete strong-featured threat, able to detect and go around traditional defenses.
For almost fifteen tears, crooks have been abusing Word macros to drop different types of malware and infect victims` PCs. This tactic relies on the ability of the macros to automatically execute a series of instructions as a single command. The first time this approach was used was way back in the early 2000s.
As users became used to it and start to recognize it, the technique was dropped for a while only to reappear again in the late 2014 as cybercriminals were hoping to face a new generation of users.
For the past two years, crooks have been coming up with newer and newer tactic for fooling victims to enable Work macros. However, the malevolent Word docs usually contained only scripts which have to be triggered to download a dropper. Then, this dropper itself would finally download the actual malicious payload from a C&C server.
Now, a new phishing emails wave has been detected. The malicious email messaged convey booby-trapped Word docs disguised as invoices and ask victims to enable macros to view the content.
However, this time things were different from previous similar attack. Now, the attackers have decided to add a second-stage executable payload attacked directly into the Word document.
“One thing that makes this latest version of [well-known downloader] Hancitor stand out is that its payload is already bundled as a binary object directly in the Word doc. It’s this payload that pings the C2 server. What it receives are pointers back to two additional binary objects (one executable and one DLL), which it downloads and executes.” – the Barkly researchers explained.
They also add that what gives the crooks the opportunity to gain access to OS recourse and grab additional payloads are the executed dynamic linked library (DLL) calls. The main reason for this modification is the traditional security tools to be thrown off the malware`s scent.
Whit this exact spam campaign, Hancitor intends on delivering the Vawtrak and Pony data-stealing Trojans. However, the type of malware being dropped could be any other as well.
