Security News > 2021 > July > Hackers Use New Trick to Disable Macro Security Warnings in Malicious Office Files
While it's a norm for phishing campaigns that distribute weaponized Microsoft Office documents to prompt victims to enable macros in order to trigger the infection chain directly, new findings indicate attackers are using non-malicious documents to disable security warnings prior to executing macro code to infect victims' computers.
In yet another instance of malware authors continue to evolve their techniques to evade detection, researchers from McAfee Labs stumbled upon a novel tactic that "Downloads and executes malicious DLLs without any malicious code present in the initial spammed attachment macro."
It's worth noting that macros need to be enabled in the Word document to trigger the download itself.
"After downloading the XLS file, the Word VBA reads the cell contents from XLS and creates a new macro for the same XLS file and writes the cell contents to XLS VBA macros as functions," the researchers said.
"Once the macros are written and ready, the Word document sets the policy in the registry to 'Disable Excel Macro Warning' and invokes the malicious macro function from the Excel file. The Excel file now downloads the ZLoader payload. The ZLoader payload is then executed using rundll32.exe."
Given the "Significant security risk" posed by macros, the feature is usually disabled by default, but the countermeasure has had an unfortunate side-effect of threat actors crafting convincing social engineering lures to trick victims into enabling them.
News URL
Related news
- Hackers leak 2.7 billion data records with Social Security numbers (source)
- Hackers posing as Ukraine’s Security Service infect 100 govt PCs (source)
- South Korean hackers exploited WPS Office zero-day to deploy malware (source)
- Microsoft Is Disabling Default ActiveX Controls in Office 2024 to Improve Security (source)