Sunday, July 3, 2022
Home Tech News Canada among prime targets of new Office macro infection tactic

Canada among prime targets of new Office macro infection tactic

Canada and the U.S. are among the countries where hackers are trying a new tactic for bypassing protections from macro-based malware in Microsoft Office, according to a new report from McAfee.

Using macro obfuscation, Windows tools and legacy supported XLS formats, the campaign downloads and executes malicious DLLs without any malicious code present in the initial email attachment.

Briefly, a victim gets a phishing email with a Microsoft Word document attachment. If the document is opened, a password-protected Microsoft Excel file is downloaded.

By default, Microsoft Office has macros turned off to protect against infected macros automatically executing. However, the hackers have created a trick message saying the document was created in a previous version of Word, and asks the victim to click on the ‘Enable editing’ and Enable content’ buttons. That enables macros to run.

Image from McAfee zloader report
This popup encourages victims to disable Office protection. Image from McAfee

The box the message appears in stores all content required to connect to a remote Excel document, including the password needed to open the malicious document. Hidden in Excel cells is code that creates a new VBA (Visual Basic) module to create an XLS macro. This macro in turn modifies a registry key to disable trust access for VBA on the victim’s computer without any Microsoft Office warnings. Then a malicious file called zloader.dll can be downloaded from a command and control server.

“Malicious documents have been an entry point for most malware families,” the blog notes, “and these attacks have been evolving their infection techniques and obfuscation, not just limiting to direct downloads of payload from VBA, but creating agents dynamically to download payload as we discussed in this blog. Usage of such agents in the infection chain is not only limited to Word or Excel, but further threats may use other living off the land tools to download its payloads.”

McAfee advises all users to avoid opening any email attachments or clicking any links present in the mail without verifying the identity of the sender. “Always disable the macro execution for Office files,” the blog authors say.

- Advertisment -

Most Popular

‘We will fight the good fight’: Advocates reflect on femicide inquest in Ontario

Members of an eastern Ontario community rocked by the deaths of three women at the hands of a former domestic partner did more than...

Sony had to make a PC gaming monitor because the PS5 isn’t enough

It’s no mystery why Sony made a PC gaming monitor that can also work well with the PS5. The PC gaming business is simply...

Apple Watch Series 8 will reportedly be able to detect if you have a fever

The upcoming Apple Watch Series 8 will reportedly come with a body temperature sensor that can tell whether you’re running a fever, according to...

Abortion clinic staff in U.S. struggle with mental health after Roe v. Wade overturn

Danielle Maness has squeezed the hands of hundreds of anxious patients lying on tables in the procedure room, now empty. She’s recorded countless vital...