This blog was written by Kiran Raj & Kishan N.
Introduction
In the last few years, Microsoft Office macro malware using social engineering as a means for malware infection has been a dominant part of the threat landscape. Malware authors continue to evolve their techniques to evade detection. These techniques involve utilizing macro obfuscation, DDE, living off the land tools (LOLBAS), and even utilizing legacy supported XLS formats.
McAfee Labs has discovered a new technique that downloads and executes malicious DLLs (Zloader) without any malicious code present in the initial spammed attachment macro. The objective of this blog is to cover the technical aspect of the newly observed technique.
Infection map
Threat Summary
The initial attack vector is a phishing email with a Microsoft Word document attachment.
Upon opening the document, a password-protected Microsoft Excel file is downloaded from a remote server.
The Word document Visual Basic for Applications (VBA) reads the cell contents of the downloaded XLS file and writes into the XLS VBA as macros.
Once the macros are written to the downloaded XLS file, the Word document sets the policy in the registry to Disable Excel Macro Warning and calls the malicious macro function dynamically from the Excel file,
This results in the downloading of the Zloader payload. The Zloader payload is then executed by rundll32.exe.
The section below contains the detailed technical analysis of this technique.
Detailed Technical Analysis
Infection Chain
The malware arrives through a phishing email containing a Microsoft Word document as an attachment. When the document is opened and macros are enabled, the Word ..
Support the originator by clicking the read the rest link below.
