Another example of why cybersecurity awareness is so important.
A new phishing campaign has a clever way to get around the standard security measures built into a Windows and Office computer system. Naturally, it requires human cooperation to enable the payload.
Allow me to make my opening statement. Never open an attachment or click a hyperlink in an unexpected email, even from someone you know. Let us proceed.
The malware arrives through a phishing email containing a Microsoft Word document as an attachment. When the document is opened and macros are enabled, the Word document, in turn, with no involvement from the user, downloads and opens a password-protected Microsoft Excel document.
After downloading the XLS file, the Word VBA reads the cell contents from the XLS file and creates a new macro for the same XLS file. Then it writes the cell contents to XLS VBA macros as functions. Once the macros are written and ready, the Word document edits the registry and changes the policy to Disable Excel Macro Warning and invokes the malicious macro function from the Excel file. Again, the user is oblivious to this. The Excel file now runs the macro which downloads the Zloader payload. The Zloader payload is then executed using the rundll32 executable.
Importantly, the user still has to enable macros when prompted in the first document, for the second document to be downloaded. Due to security concerns, macros are disabled by default in Microsoft Office applications. As a result, the infection chain can be thwarted if users are trained to never enable macros in an Office document.
More importantly, go back and re-read my first piece of advice. Never open an attachment or click a hyperlink in an unexpected email, even from someone you know.
That is all.
No comments:
Post a Comment