A new encrypted downloader is using old-school macro attacks to gain backdoor access.
Threat actors are now pairing new encryption with old macros to subvert system processes and enable backdoor device access, according to a June 2018 IBM X-Force threat advisory. This age-old threat vector is still lucrative for cybercriminals, as evidenced by a December 2017 McAfee Labs report that detected 1.2 million pieces of active macro malware in the third quarter of 2017.
But with organizations increasingly aware of dangerous document risks, threat actors are upping the ante.
A Targeted Macro Malware Attack?
The new malware, identified as GZipDe, leverages a recent report about the Shanghai Cooperation Organization (SCO) Summit held in Qingdao, China. Researchers from AlienVault noted that the threat actors copied part of the report into an email and then “protected” the rest — prompting recipients to enable macros if they wanted to view the entire document.
While there’s no clear victim profile here, Chris Doman, security researcher at AlienVault, told Bleeping Computer in June 2018 that the attack appears to be targeted.
“Given the decoy document is in English and uploaded from Afghanistan, it may have been targeting someone in an embassy or similar there,” Doman told the publication.
How Threat Actors Are Taking Macro Malware to the Next Level
The original payload is available on GitHub, but the attackers raised the stakes by adding a new encrypted downloader to GZipDe before launching their malware attacks. The researchers noted that this encrypted .NET tool both improves antivirus evasion and clouds process memory, making it easier for cybercriminals to install device backdoors.
Malware in the document itself, meanwhile, executes a stored hexadecimal stream Virtual Basic script along with a hidden PowerShell process.
Next, a new obfuscated memory page is launched that includes execute, read and write privileges. This tactic allows attackers to decrypt and execute their malware payload, a Metasploit backdoor and Meterpreter tool able to “gather information from the system and contact the command and control server to receive further commands.”
The Metasploit shellcode lets attackers run their dynamic link library (DLL) completely in-memory. This means it won’t write any information to disk, making it harder to track down an attack in progress.
Why You Should Disable Macros by Default
New encrypted downloader or not, organizations and individual users should disable macros by default to protect devices from this type of malware.
Security experts suggest alternatives to enabling macros, such as:
- Asking questions: Security leaders should encourage employees to ask questions if they’re unsure whether they should enable macros on a document and make them feel comfortable reporting suspicious messages and files. Fostering a positive security culture is key to making employees an organization’s first line of defense against cyberthreats.
- Deploying behavioral analytics: While encryption may obfuscate processes and limit total visibility, building in behavior-based detection tools can help security teams identify anomalous activity sooner rather than later.