A new encrypted downloader is using old-school macro attacks to gain backdoor access.

Threat actors are now pairing new encryption with old macros to subvert system processes and enable backdoor device access, according to a June 2018 IBM X-Force threat advisory. This age-old threat vector is still lucrative for cybercriminals, as evidenced by a December 2017 McAfee Labs report that detected 1.2 million pieces of active macro malware in the third quarter of 2017.

But with organizations increasingly aware of dangerous document risks, threat actors are upping the ante.

A Targeted Macro Malware Attack?

The new malware, identified as GZipDe, leverages a recent report about the Shanghai Cooperation Organization (SCO) Summit held in Qingdao, China. Researchers from AlienVault noted that the threat actors copied part of the report into an email and then “protected” the rest — prompting recipients to enable macros if they wanted to view the entire document.

While there’s no clear victim profile here, Chris Doman, security researcher at AlienVault, told Bleeping Computer in June 2018 that the attack appears to be targeted.

“Given the decoy document is in English and uploaded from Afghanistan, it may have been targeting someone in an embassy or similar there,” Doman told the publication.

How Threat Actors Are Taking Macro Malware to the Next Level

The original payload is available on GitHub, but the attackers raised the stakes by adding a new encrypted downloader to GZipDe before launching their malware attacks. The researchers noted that this encrypted .NET tool both improves antivirus evasion and clouds process memory, making it easier for cybercriminals to install device backdoors.

Malware in the document itself, meanwhile, executes a stored hexadecimal stream Virtual Basic script along with a hidden PowerShell process.

Next, a new obfuscated memory page is launched that includes execute, read and write privileges. This tactic allows attackers to decrypt and execute their malware payload, a Metasploit backdoor and Meterpreter tool able to “gather information from the system and contact the command and control server to receive further commands.”

The Metasploit shellcode lets attackers run their dynamic link library (DLL) completely in-memory. This means it won’t write any information to disk, making it harder to track down an attack in progress.

Why You Should Disable Macros by Default

New encrypted downloader or not, organizations and individual users should disable macros by default to protect devices from this type of malware.

Security experts suggest alternatives to enabling macros, such as:

  • Asking questions: Security leaders should encourage employees to ask questions if they’re unsure whether they should enable macros on a document and make them feel comfortable reporting suspicious messages and files. Fostering a positive security culture is key to making employees an organization’s first line of defense against cyberthreats.
  • Deploying behavioral analytics: While encryption may obfuscate processes and limit total visibility, building in behavior-based detection tools can help security teams identify anomalous activity sooner rather than later.

Sources: McAfee Labs, AlienVault, Bleeping Computer

More from

Detecting Insider Threats: Leverage User Behavior Analytics

3 min read - Employees often play an unwitting role in many security incidents, from accidental data breaches to intentional malicious attacks. Unfortunately, most organizations don’t have the right protocols and processes to identify potential risks posed by their workforce. Based on a survey conducted by SANS Institute, 35% of respondents said they lack visibility into insider threats, while 30% said the inability to audit user access is a security blind spot in their organizations. In addition, the 2023 X-Force Threat Intelligence Index reported that…

3 min read

Poor Communication During a Data Breach Can Cost You — Here’s How to Avoid It

5 min read - No one needs to tell you that data breaches are costly. That data has been quantified and the numbers are staggering. In fact, the IBM Security Cost of a Data Breach estimates that the average cost of a data breach in 2022 was $4.35 million, with 83% of organizations experiencing one or more security incidents. But what’s talked about less often (and we think should be talked about more) is how communication — both good and bad — factors into…

5 min read

Increasingly Sophisticated Cyberattacks Target Healthcare

4 min read - It’s rare to see 100% agreement on a survey. But Porter Research found consensus from business leaders across the provider, payer and pharmaceutical/life sciences industries. Every single person agreed that “growing hacker sophistication” is the primary driver behind the increase in ransomware attacks. In response to the findings, the American Hospital Association told Porter Research, “Not only are cyber criminals more organized than they were in the past, but they are often more skilled and sophisticated.” Although not unanimous, the…

4 min read

Ransomware Renaissance 2023: The Definitive Guide to Stay Safer

2 min read - Ransomware is experiencing a renaissance in 2023, with some cybersecurity firms reporting over 400 attacks in the month of March alone. And it shouldn’t be a surprise: the 2023 X-Force Threat Intelligence Index found backdoor deployments — malware providing remote access — as the top attacker action in 2022, and aptly predicted 2022’s backdoor failures would become 2023’s ransomware crisis. Compounding the problem is the industrialization of the cybercrime ecosystem, enabling adversaries to complete more attacks, faster. Over the last…

2 min read