One of the most common ways for malware to be distributed is in phishing emails. These emails usually require some user interaction, such as clicking on a link and opening an attached Microsoft Office file. Word and Excel files are often used in malware distribution, with macros used to deliver the malicious payload.

Macros are potentially dangerous as they can contain malicious code, so they are usually disabled by default and will only be allowed to run if they are manually enabled by the end user.  When an Office file is opened which contains a macro, a warning message will appear instructing the user that there is a macro and that it is potentially malicious. If the macro is not manually enabled by the end user, malware cannot be downloaded.

A phishing campaign has recently been detected that is typical of most phishing campaigns distributing malware. The initial attack vector is a phishing email, and Office files are used which contain macros that download the malware payload – in this case ZLoader. However, a novel method is used to deliver the malicious Office files that disables to usual macro warnings and protection mechanism.

In this campaign, malicious DLLs – Zloader malware – are delivered as the payload, but the initial phishing email does not contain the malicious code. The phishing email has a Microsoft Word attachment which will trigger the download of a password-protected Excel spreadsheet from the attacker’s remote server when the file is opened and macros are enabled.

The attack relies on Microsoft Word Visual Basic for Applications (VBA) and the Dynamic Data Exchange (DDE) fields of Microsoft Excel, and is effective on systems that support the legacy .xls file format.

Once the encrypted Excel file is downloaded, Word VBA-based instructions in the document read the cell contents from the specially crafted XLS file. Word VBS then writes the cell contents into XLS VBA to create a new macro for the XLS file. When the macros are ready, Excel macro defenses are disabled by the Word document by setting the policy in the registry to Disable Excel Macro Warning. The Excel VBA is then run and downloads the malicious DLL files, which are executed using rundll32.exe.

While the malicious files will be silently downloaded and executed, this attack still requires the victim to enable macros in the initial Word document. Victims are tricked into doing this by telling them “This document created in previous version of Microsoft Office Word. To view or edit this document, please click ‘Enable editing’ button on the top bar, and then click ‘Enable content’,” when they open the Word file. That one click will start the entire infection chain.

ZLoader is a variant of the infamous Zeus banking Trojan, which first appeared in 2006. The malware is also known by the name ZBot and Silent Night and is used by multiple threat groups. The malware was used in large scale campaigns in 2020 using COVID-19 themed lures, such as COVID-19 prevention tips, along with more standard lures such as job applications.

Once installed, the malware uses webinjects to steal passwords, login credentials and browser cookies. When an infected computer is used to access online banking and financial accounts, banking information and other sensitive data are stolen and exfiltrated to the attacker’s C2 server.

If you want to improve your defenses against malware and phishing, give the TitanHQ team a call and enquire about SpamTitan Email Security and WebTitan Web Security. These solutions can both be downloaded, configured, and protecting you from the full range of web and email threats in under an hour, and both are available on a no obligation 14-day free trial so you can see for yourself how easy they are to use and how effective they are at blocking threats before making a purchase decision.