It is very common for malware to be broadcast via phishing emails that seek some level of user interaction like visiting a URL to download a Microsoft Office file. Malicious payloads are often sent using Word and Excel files via macros.

You should always be wary of Macros as they can be used to infiltrate your systems with malicious code. In most cases they are not enabled and will only be allowed to run if they are manually enabled by the end user. When an Office file is clicked on and it includes a macro, an alert will pop up to state that there is a macro and that it is potentially malicious. If the macro is not manually activated by the end user, malware cannot infect your systems.

A phishing attack has recently been discovered that is employing the usual phishing campaign for spreading malware. The first attack point is a phishing email, and Office files are attached that are filled with macros that install the malware payload – in this case ZLoader. However, a new method is used to spread the dangerous Office files by turning off usual macro warnings and security mechanisms.

In this attack, malicious DLLs – Zloader malware – are sent masquerading as the payload, but the first phishing email does not have the malicious code attached. The phishing email has a Microsoft Word file which will lead to the download of a password-protected Excel spreadsheet from the hacker’s remote server when the file is opened and macros are turned on.

The attack depends on Microsoft Word Visual Basic for Applications (VBA) and the Dynamic Data Exchange (DDE) fields of Microsoft Excel, and is effective on systems that support the legacy .xls file format.

Once the encrypted Excel file is installed, Word VBA-based instructions in the file read the cell contents from the specially designed XLS file. Word VBS then writes the cell contents into XLS VBA to set up a new macro for the XLS file. When the macros are prepared, Excel macro defenses are turned off by the Word document by setting the policy in the registry to Disable Excel Macro Warning. The Excel VBA is then run and downloads the malicious DLL files, which are  run using rundll32.exe.

While the malicious files will be silently installed and executed, this attack still needs the recipient to turn on the macros in the first Word document. Victims are fooled into doing this by informing them “This document was created in an earlier version of Microsoft Office Word. To access or amend this document, please click the ‘Enable editing’ button on the top bar, and then click ‘Enable content’,” when they open the Word file. That one click will initiate the entire infection chain.

ZLoader is a string of the Zeus banking Trojan, which first reared its head during 2006. The malware is also referred to asc ZBot and Silent Night and is used by a range of different attack groups. The malware was deployed in large scale attacks during 2020 using COVID-19 themed lures, such as COVID-19 prevention tips, along with more standard lures such as job applications.

Once downloaded, the malware uses webinjects to capture passwords, login details and browser cookies. 

If you wish to prevent this from impacting your business contact the TitanHQ team now to find out more about SpamTitan Email Security and WebTitan Web Security. There is no obligation for a 14-day free trial so you can see for yourself how easy they are to use and how effective they are at blocking malware attacks.