Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Social engineering tricks open the door to macro-malware attacks


  • Please log in to reply
37 replies to this topic

#1 NickAu

NickAu

    Bleepin' Fish Doctor


  • Moderator
  • 11,697 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:127.0.0.1 Australia
  • Local time:02:33 PM

Posted 29 April 2015 - 10:44 PM

 

The macro malware-laden documents that target email users through email spam are intentionally crafted to pique any person's curiosity.  With subjects that include sales invoices, federal tax payments, courier notifications, resumes, and donation confirmations, users can be easily tricked to read the email and open the attachment without thinking twice.

The user opens the document, enables the macro, thinking that the document needs it to function properly – unknowingly enabling the macro malware to run.

Just when you think macro malware is a thing of the past, over the past few months, we have seen an increasing macro downloader trend that affects nearly 501,240 unique machines worldwide.

http://blogs.technet.com/b/mmpc/archive/2015/04/28/social-engineering-tricks-open-the-door-to-macro-malware-attacks-how-can-we-close-it.aspx



BC AdBot (Login to Remove)

 


m

#2 TsVk!

TsVk!

    penguin farmer


  • Members
  • 6,230 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Antipodes
  • Local time:01:33 PM

Posted 30 April 2015 - 12:01 AM

I'm surprised that they bother creating these malwares, considering people persist in unzipping "foto.zip" and double-clicking "pic.exe".

 

In my company we have a restricted execution policy that stops all executions running from temp locations. It's not unusual for users to repetitively try to open malware attachments and then call IT for help when they won't work.



#3 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,576 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:33 PM

Posted 30 April 2015 - 05:41 AM

This has been a common vector for ransomware.

* Malformed or infected word docs with embedded macro viruses
* Please find attached INVOICE number 224244 from Power EC Ltd Word doc malware
* Humber Merchants Group Industrial Invoices Word doc malware
* K J Watking & Co Remittance Advice – excel malware
* Remittance Advice from Anglia Engineering Solutions Ltd – Excel xls malware
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#4 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,196 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Quebec, Canada
  • Local time:10:33 PM

Posted 30 April 2015 - 06:55 AM

Good thing that at work, most of these emails that the employees receives are just plainly obvious, and since most of the time the emails doesn't really involve their department (like you receive an invoice, or shipping bill when you work as a developper), they get suspicious and then call us in additon to forward the mail so we can check it out. Also, most of them are in English, while we deal almost exclusively in French here.

Edited by Aura., 30 April 2015 - 06:56 AM.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#5 rp88

rp88

  • Members
  • 2,895 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:03:33 AM

Posted 30 April 2015 - 09:54 AM

Regarding malicious word documents and other office files, are they dangerous if opened via the "viewing" options in gmail? When one receives emails in gmail you can preview any attachments on them, the attachment appears within gmail (it doesn't use any plugins, it's in the browser entirely)and can be read, although often the formatting of office documents is a bit messsed up when you view them like this. Do these macro and other attacks work against a user viewing a dodgy attachemnt in gmail, or do they only work if the user downloads it and opens it in the relevant ms office program? Also what about open/libre office, do they suffer from the same vulnerabilities as word, or do they fully ignore macros so have no ability to run the malicious content?
Back on this site, for a while anyway, been so busy the last year.

My systems:2 laptops, intel i3 processors, windows 8.1 installed on the hard-drive and linux mint 17.3 MATE installed to USB

#6 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,196 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Quebec, Canada
  • Local time:10:33 PM

Posted 30 April 2015 - 09:57 AM

I don't think they are dangerous, since usually, documents with macro-based malware on them uses the Office Macro Script interpreter feature to be launched and execute themself. I doubt Gmail have that.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,576 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:33 PM

Posted 30 April 2015 - 10:41 AM

With social engineering, the attacker relies heavily on human interaction (the weakest link in security) and often involves tricking people in order to achieve the attacker's desired result. Social engineering has become one of the most prolific tactics for distribution of malware, identity theft and fraud.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#8 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,620 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:33 AM

Posted 01 May 2015 - 03:56 AM

No, VBA code dos not execute when the office document is viewed via Gmail.

Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2018
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#9 White Hat Mike

White Hat Mike

  • Members
  • 312 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:::1
  • Local time:11:33 PM

Posted 01 May 2015 - 07:53 AM

Using macros as an infection vector ceased for a while, however, the prevalence of threats in-the-wild that rely on macros to infect their targets has increased exponentially in the last few months.

Such an easy method of infecting users, and the success that these attackers are having with it is upsetting. Further emphasizes the deficiency of your every day users in terms of security awareness training...

Information Security Engineer | Penetration Tester | Forensic Analyst

CipherTechs.com


#10 TsVk!

TsVk!

    penguin farmer


  • Members
  • 6,230 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Antipodes
  • Local time:01:33 PM

Posted 01 May 2015 - 07:58 AM

restricted execution.

 

That is all



#11 White Hat Mike

White Hat Mike

  • Members
  • 312 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:::1
  • Local time:11:33 PM

Posted 01 May 2015 - 08:03 AM

restricted execution.
 
That is all


I would just configure GPO to disallow macros entirely. There are a lot of very efficient sandboxes out there that do a really good job at defending even the most naive user... Invincea is one of them.

Information Security Engineer | Penetration Tester | Forensic Analyst

CipherTechs.com


#12 TsVk!

TsVk!

    penguin farmer


  • Members
  • 6,230 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Antipodes
  • Local time:01:33 PM

Posted 01 May 2015 - 08:08 AM

 

restricted execution.
 
That is all


I would just configure GPO to disallow macros entirely. There are a lot of very efficient sandboxes out there that do a really good job at defending even the most naive user... Invincea is one of them.

 

Or disallow everything unless it resides in Program Files or Windows.

 

Bypasses 99.9% of malware in the first instance.



#13 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,196 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Quebec, Canada
  • Local time:10:33 PM

Posted 01 May 2015 - 08:10 AM

It's not uncommon for malware to have executables in the Windows folder, even thought most of them are in AppData.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#14 TsVk!

TsVk!

    penguin farmer


  • Members
  • 6,230 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Antipodes
  • Local time:01:33 PM

Posted 01 May 2015 - 08:12 AM

To get there it has to pass the temp, generally.


Edited by TsVk!, 01 May 2015 - 08:16 AM.


#15 White Hat Mike

White Hat Mike

  • Members
  • 312 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:::1
  • Local time:11:33 PM

Posted 01 May 2015 - 08:12 AM


 

restricted execution.
 
That is all

I would just configure GPO to disallow macros entirely. There are a lot of very efficient sandboxes out there that do a really good job at defending even the most naive user... Invincea is one of them.
 
Or disallow everything unless it resides in Program Files or Windows.
 
Bypasses 99.9% of malware in the first instance.

What about when installing new programs? Or with many legitimate programs? Lots of legitimate applications run from %AppData%.

Information Security Engineer | Penetration Tester | Forensic Analyst

CipherTechs.com





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users