New Threat, Old Techniques

Diego Samuel Espitia    3 August, 2021

For some years now, the techniques used by malware developers have focused on evading detection mechanisms, finding that obfuscated macros and the use of Windows proprietary tools are an effective mechanism to accomplish their goals, even if they use old office document formats.

One of the malware campaigns that has most exploited the technique of ancient and obfuscated macros (some simply hidden) is Emotet, named after an ancient Egyptian king. Since 2014 it has become the most feared banking trojan, with a very strong peak of incidents in 2019.

Figure 1:

But this week McAfee Labs published a new infection technique that not only uses Office macros as its main tool at the start of the attack, but complements it with the download of malicious DLLs, and which so far in 2021 has mainly affected Spain, Canada and the United States, which has been considered the return of a variant of the Zloader banking malware, which first appeared in 2006 as a variant of the Zeus banking trojan.

Figur2 2:

The initial attack vector is through an email with an attached Microsoft Word file, which downloads a password-protected Microsoft Excel file from a remote server. With the two documents on the machine, they initiate a scheduled interaction with the VBA macros in both files and modify some registry policies to avoid alerts when running the dynamic macros from excel, to finally download the Zloader executable containing a malicious DLL.

This is the typical behaviour we have described in Fileless attacks and which the innovation area has sought to prevent with the creation of DIARIO, to detect the malicious content of these macros in the first step of the threat flow while respecting the privacy of the documents. In this case it is not the exception that can be used, as the hash that appears as the main IoC is the Word document with which the attack starts, which is 210f12d1282e90aadb532e7e7e891cbe4f089ef4f4f3ec0568dc459fb5d546c95eaf and that as can be seen in the web answer.

We already detected it as malicious, because all 5 macros contain malicious processes and where, when checking them in our tool, you can clearly see how one of them is loading the moment where the Excel is opened with the password from Word.

And how from the other macro the download URL is created for this same file

DIARIO was designed in the innovation area thinking that the most effective way to detect malicious code of this type is the use of machine learning, so that any other document that contains a variant of the malicious process of this detection, will be immediately recognised and marked as a malicious document.

If users were trained and aware enough to analyse every single attachment that arrives in their mail, having a tool like DIARIO within the Outlook client would allow them to mitigate the risk of this type of attack and counter the threat from the first step of the attack flow.

Leave a Reply

Your email address will not be published.