Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Microsoft warns for new malware attacks with Office documents


  • Please log in to reply
7 replies to this topic

#1 NickAu

NickAu

    Bleepin' Fish Doctor


  • Moderator
  • 12,859 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:127.0.0.1 Australia
  • Local time:09:04 AM

Posted 05 January 2015 - 05:43 PM

 

Microsoft warns of increase in Adnel and Tarbir Trojan attacks on Excel and Word users

Microsoft has warned its Microsoft Office users of significant rise in malware attacks through macros in Excel and Word programs.  In a report published on its blog, Microsoft says that there is more than a threefold jump in the malware campaigns spreading two different Trojan downloaders. These Trojan downloaders arrive in emails masquerading as orders or invoices.

The malwares are being spread through spam emails containing following subject lines accordingly to Microsoft

  • ACH Transaction Report
  • DOC-file for report is ready
  • Invoice as requested
  • Invoice – P97291
  • Order – Y24383
  • Payment Details
  • Remittance Advice from Engineering Solutions Ltd
  • Your Automated Clearing House Transaction Has Been Put On

And the attachment containing Adnel and Tarbir campaigns is usually named as following :

  • 20140918_122519.doc
  • 813536MY.xls
  • ACH Transfer 0084.doc
  • Automated Clearing House transfer 4995.doc
  • BAC474047MZ.xls
  • BILLING DETAILS 4905.doc
  • CAR014 151239.doc
  • ID_2542Z.xls
  • Fuel bill.doc
  • ORDER DETAILS 9650.doc
  • Payment Advice 593016.doc
  • SHIPPING DETAILS 1181.doc
  • SHIP INVOICE 1677.doc
  • SHIPPING NO.doc

Microsoft Technet blog says that the two Trojan downloaders,  TrojanDownloader:W97M/Adnel and TrojanDownloader:O97M/Tarbir are being spread at a rapid pace through spam emails and phishing campaigns. Worryingly they are targeting both home PC users and enterprise customers and most of the victims are based in United States and United Kingdom.

 

Microsoft warns for new malware attacks with Office documents

 

.

 


Arch Linux .
Bleeping Computer Forum Rules and Posting Guidelines link 
Important Information For All Who Help/Post In Linux & Unix
Simple and easy ways to keep your computer safe and secure on the Internet <- Everyone must read this!
How to Protect and Harden a Computer against Ransomware <- Everyone must read this!

""Three out of four voices in my head want to sleep. The fourth voice wants to know if penguins have knees."


BC AdBot (Login to Remove)

 


#2 Sintharius

Sintharius

    Bleepin' Sniper


  • Members
  • 5,639 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Netherlands
  • Local time:12:04 AM

Posted 05 January 2015 - 06:33 PM

So this is an issue with people letting malicious macros run - guess MBAE will not work against it.

A good AV solution that scans documents will, though.

#3 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,262 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:04 PM

Posted 05 January 2015 - 07:47 PM

FYI: a page to bookmark...My Online Security

This blog will help keep you up to date with windows updates, security warnings, currently spreading email spoofs & malware and my general thoughts about the online world today and how to keep yourself safe online and not become a victim.


They usually are quick at providing the latest information in regards to Word, Excel exploits.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#4 dvk01

dvk01

  • Malware Response Team
  • 129 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:04 AM

Posted 06 January 2015 - 04:22 AM

So this is an issue with people letting malicious macros run - guess MBAE will not work against it.

A good AV solution that scans documents will, though.

So far today NO antivirus will detect today's malicious macro. The bad guys have added yet another layer of encryption to the macro to make it even harder for an AV to detect.  http://myonlinesecurity.co.uk/tracey-smith-aquaid-card-receipt-word-doc-malware/

 

FYI: a page to bookmark...My Online Security


This blog will help keep you up to date with windows updates, security warnings, currently spreading email spoofs & malware and my general thoughts about the online world today and how to keep yourself safe online and not become a victim.


They usually are quick at providing the latest information in regards to Word, Excel exploits.

 

I do my best to keep that blog updated and I normally get some details on within 1 hour or so of a campaign starting ( apart from the odd days when I am out on the road or at the hospital )



#5 dvk01

dvk01

  • Malware Response Team
  • 129 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:04 AM

Posted 06 January 2015 - 05:07 AM

Also watch out for this malicious  Excel spreadsheet spreading widely this morning

http://myonlinesecurity.co.uk/sgbd-national-payments-centre-remittance-advice-excel-xls-malware/



#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,262 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:04 PM

Posted 06 January 2015 - 05:45 AM

I do my best to keep that blog updated and I normally get some details on within 1 hour or so of a campaign starting ( apart from the odd days when I am out on the road or at the hospital )

You do a excellent job at that which keeps the rest of us in the know. :thumbup2:
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 Sanesecurity

Sanesecurity

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:11:04 PM

Posted 06 January 2015 - 07:57 AM

Hi All,

 

Lot's of word/excel macro stuff being thrown about today, after their Holidays:

 

http://sanesecurity.blogspot.co.uk/2015/01/payment-advice-senior-accountant-bacs.html

http://sanesecurity.blogspot.co.uk/2015/01/saint-gobain-uk-sgbd-national-payments.html

http://sanesecurity.blogspot.co.uk/2015/01/card-receipt-aquaid-tracey-smith.html

 

Cheers,

 

Steve

http://Sanesecurity.com

http://sanesecurity.blogspot.co.uk/



#8 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,672 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:04 AM

Posted 06 January 2015 - 03:28 PM

I've been monitoring these campaigns for more than 2 months now (and also updated my oledump.py analysis tool to keep up with what these criminals are doing).

 

All the samples I've analyzed to the following: download/extract an executable, write it to disk and execute it.
AV is bad at detecting these malicious documents (at least right after they came out), but it's a bit better at detecting the executable that's written to disk.

But if you use application whitelisting, it will prevent the executable from running.


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2018
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users