July 26, 2018 By Douglas Bonderud 2 min read

A new encrypted downloader is using old-school macro attacks to gain backdoor access.

Threat actors are now pairing new encryption with old macros to subvert system processes and enable backdoor device access, according to a June 2018 IBM X-Force threat advisory. This age-old threat vector is still lucrative for cybercriminals, as evidenced by a December 2017 McAfee Labs report that detected 1.2 million pieces of active macro malware in the third quarter of 2017.

But with organizations increasingly aware of dangerous document risks, threat actors are upping the ante.

A Targeted Macro Malware Attack?

The new malware, identified as GZipDe, leverages a recent report about the Shanghai Cooperation Organization (SCO) Summit held in Qingdao, China. Researchers from AlienVault noted that the threat actors copied part of the report into an email and then “protected” the rest — prompting recipients to enable macros if they wanted to view the entire document.

While there’s no clear victim profile here, Chris Doman, security researcher at AlienVault, told Bleeping Computer in June 2018 that the attack appears to be targeted.

“Given the decoy document is in English and uploaded from Afghanistan, it may have been targeting someone in an embassy or similar there,” Doman told the publication.

How Threat Actors Are Taking Macro Malware to the Next Level

The original payload is available on GitHub, but the attackers raised the stakes by adding a new encrypted downloader to GZipDe before launching their malware attacks. The researchers noted that this encrypted .NET tool both improves antivirus evasion and clouds process memory, making it easier for cybercriminals to install device backdoors.

Malware in the document itself, meanwhile, executes a stored hexadecimal stream Virtual Basic script along with a hidden PowerShell process.

Next, a new obfuscated memory page is launched that includes execute, read and write privileges. This tactic allows attackers to decrypt and execute their malware payload, a Metasploit backdoor and Meterpreter tool able to “gather information from the system and contact the command and control server to receive further commands.”

The Metasploit shellcode lets attackers run their dynamic link library (DLL) completely in-memory. This means it won’t write any information to disk, making it harder to track down an attack in progress.

Why You Should Disable Macros by Default

New encrypted downloader or not, organizations and individual users should disable macros by default to protect devices from this type of malware.

Security experts suggest alternatives to enabling macros, such as:

  • Asking questions: Security leaders should encourage employees to ask questions if they’re unsure whether they should enable macros on a document and make them feel comfortable reporting suspicious messages and files. Fostering a positive security culture is key to making employees an organization’s first line of defense against cyberthreats.
  • Deploying behavioral analytics: While encryption may obfuscate processes and limit total visibility, building in behavior-based detection tools can help security teams identify anomalous activity sooner rather than later.

Sources: McAfee Labs, AlienVault, Bleeping Computer

More from

Generative AI security requires a solid framework

4 min read - How many companies intentionally refuse to use AI to get their work done faster and more efficiently? Probably none: the advantages of AI are too great to deny.The benefits AI models offer to organizations are undeniable, especially for optimizing critical operations and outputs. However, generative AI also comes with risk. According to the IBM Institute for Business Value, 96% of executives say adopting generative AI makes a security breach likely in their organization within the next three years.CISA Director Jen…

Q&A with Valentina Palmiotti, aka chompie

4 min read - The Pwn2Own computer hacking contest has been around since 2007, and during that time, there has never been a female to score a full win — until now.Valentina Palmiotti, aka chompie, changed that. At the March 2024 competition, Palmiotti scored a full win with her discovery of an Improper Update of Reference Count bug to escalate privileges on Windows 11. It was her first time entering Pwn2Own.Pwn2Own is considered one of the most — if not the most — prestigious…

Self-replicating Morris II worm targets AI email assistants

4 min read - The proliferation of generative artificial intelligence (gen AI) email assistants such as OpenAI’s GPT-3 and Google’s Smart Compose has revolutionized communication workflows. Unfortunately, it has also introduced novel attack vectors for cyber criminals. Leveraging recent advancements in AI and natural language processing, malicious actors can exploit vulnerabilities in gen AI systems to orchestrate sophisticated cyberattacks with far-reaching consequences. Recent studies have uncovered the insidious capabilities of self-replicating malware, exemplified by the “Morris II” strain created by researchers. How the Morris…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today