Usually, hackers utilize weaponized MS Office documents or other social engineering tactics in malspam campaigns to trap unsuspecting users and let them enable the macros. However, things have changed and new attack discovered by researchers is critical than ever.
According to a report from McAfee Labs experts, threat actors are using a new technique in these campaigns where non-malicious documents are used to disable security warnings before executing macro code on the targeted computer.
This means hackers are downloading/executing malicious DLLs/ZLoader without any malicious code in the spammed attachment macro. Hence, they have devised a new tactic to disable macro security warnings.
What is ZLoader?
As previously reported by Hackread.com, ZLoader has been active since 2016 and shares similarities with the notorious Zeus 22.214.171.124 banking trojan as far as functionalities are concerned.
Moreover, ZLoader is mainly used to spread Zeus-like trojan, such as Zeus OpenSSL. Previously, ZLoader operations have been reported in the USA, Canada, Japan, Spain, and Malaysia.
The malware is known for using macro-enabled MS Office documents as its initial attack vector and steal PII and login credentials mainly from users of certain financial institutions.
About the Attack Chain
Hackers send a spam message using an MS Word document. When this document is opened, a password-protected MS Excel (XLS) file is downloaded from the remote server operated by the attacker.
Later, the Word VBA reads the XLS file’s cell contents and creates a new macro for the same file. It writes the cell contents to XLS VBA macros as functions.
“Once the macros are written and ready, the Word document sets the policy in the registry to ‘Disable Excel Macro Warning’ and invokes the malicious macro function from the Excel file. The Excel file now downloads the ZLoader payload. The ZLoader payload is then executed using rundll32.exe,” wrote McAfee’s Kiran Raj & Kishan N in a blog post.
To protect yourself from the new malspam campaign make sure documents sent by anonymous senders are not downloaded or executed on your device. Use reliable anti-malware software on your system or scan for malicious links and files on VirusTotal.