Conventional Office macro infection approach Cuts off after a new email spam campaign
In a recently performed email spam drive, researchers found
strokes of spam emails that make use of Microsoft Office documents for a
malicious purpose such as downloading and stealing passwords without having any
need to activate Macros. Observing that the method of hitting a number of users
with multiple emails could result in a big loss if users follow to click and
perform any mentioned measure mentioned in emails
.
Possibly, a huge count of malware will cache Microsoft
Office document typically attached to spam emails. If a victim enables or
activates Macros in a malicious doc file the downloader will save or hide
malware sent via mails. This is a usual vision in spam emails delivered by
Necurs botnet. However, a new sample was taken off the method of the input
sequence, which is mapped to replace an output sequence according to any
certain procedure or simply macro approach. This new method involves the use of
a Microsoft Office exposure to execute data and sensitive details from victims.
From a long track of the email spam campaign, researchers
concluded that there is a four-level infection method to send off attachments
and those data or password stealer. The method or the password stealer program
is strong enough to steal credentials from user’s email, FTP, and browser
clients.
There are particularly different subject lines that have
been noted by researchers during the spam campaign:
·
Request for Quotation (RFQ) – (random numbers)
·
SWIFT COPY FOR BALANCE PAYMENT
·
TNT STATEMENT OF ACCOUNT – (random numbers)
·
Telex Transfer Notification
Reported outcomes of
email Spam campaign
The files sent were observed to
be in different extensions depending on Microsoft versions. Word document of MS
Office 2007 supports XML file formats based on Zip archives and XML tools. It
is easy to convert data and information is Word document 2007 file whether it
is done by programmatic method or manual. Moreover, DOCX attachments contain an
embedded Object Linking and Embedding objects with external references. This
attribute opens up external access to analyze references of document.xml.rels
of OLE objects.
If the end user opens the file,
it prompts the download and execution of any remote document file in rich text
file format (.RTF). These.RTF extensions use MS equation editor tools to
convert downloads an MSHTA command line so it can direct a remote HTA file
format. Eventually, those HTA files result into obscured codes of VBScript and
a PowerShell script that supports remote binary file and these binary files, at
the end, executes the password stealer malware. The whole process explains
Microsoft Office limits, which was discovered back in July 2017.
Attackers can corrupt Microsoft
memory vulnerability by running random codes by failing inappropriately manage
object in the memory. Researchers also explained about high availability of
platforms and vectors to use for malware download. If any of the stage (out of
four) goes unsuccessful, it will give out the domino effect on the entire
process and could be the high-risked approach for the malware author.
At any point, if you face a technical issue
then contact Office customer support team. The technicians working 24*7 will be
glad to assist you. You can also visit office.com/setup
Comments
Post a Comment