Word and Excel documents are enlisted to disable Office macro warnings, so the Zloader banking malware can be downloaded onto systems without security tools flagging it.
Legacy users of Microsoft Excel are being targeted in a malware campaign that uses a novel malware-obfuscation technique to disable Office defenses and deliver the Zloader trojan.
The attack, according to research published Thursday by McAfee, marries functions in Microsoft Office Word and Excel to work together to download the Zloader payload, without triggering an alert warning for end users of the malicious attack.
Zloader is a banking trojan designed to steal credentials and other private information from users of targeted financial institutions.
The initial attack vector is inbox-based phishing messages with Word document attachments that contain no malicious code. Thus, it wouldn’t typically trigger an email gateway or client-side antivirus software to block the attack.
The macro-obfuscation technique meanwhile leverages both Microsoft Office’s Excel dynamic data exchange (DDE) fields and Windows-based Visual Basic for Applications (VBA) to launch attacks against systems that support legacy XLS formats.
Initial Infection Chain
“The malware arrives through a phishing email containing a Microsoft Word document as an attachment. When the document is opened and macros are enabled, the Word document, in turn, downloads and opens another password-protected Microsoft Excel document,” researchers wrote.
Next, VBA-based instruction embedded in the Word document reads a specially crafted Excel spreadsheet cell to create a macro. That macro populates an additional cell in the same XLS document with an additional VBA macro, which disables Office defenses.
“Once the macros are written and ready, the Word document sets the policy in the registry to ‘Disable Excel Macro Warning,’ and invokes the malicious macro function from the Excel file. The Excel file now downloads the Zloader payload. The Zloader payload is then executed using rundll32.exe,” researchers said.
How the Obfuscation Works
Because Microsoft Office automatically disables macros, the attackers attempt to trick recipients of the email to enable them with a message appearing inside the Word document.
“This document created in previous version of Microsoft Office Word. To view or edit this document, please click ‘Enable editing’ button on the top bar, and then click ‘Enable content’,” the message reads.
This is when the malware authors leverage DDE and VBA, both standard Microsoft tools that ship with Windows.
DDE is a method for transferring data between applications, such as Excel and Word. In this instance, the process updates the contents of a spreadsheet cell with information from Word. The Word document can then read specific Excel cell content of the downloaded .XLS file. Next, the Excel document is populated with the Word-based VBA instructions.
VBA is Microsoft’s programming language for Excel, Word and other Office programs. VBA allows users to create strings of commands using a tool called Macro Recorder. In this instance, as with other abuses of VBA, malware authors are creating malicious macro scripts.
“Excel will record all the steps a user makes and save it as a ‘process’ known as a macro. When the user ends the recorder, this macro is saved and can be assigned to a button that will run the exact same process again when clicked,” according to a description of VBA.
Disabling Excel Macro Warnings
Malware authors achieve the warning bypass by embedding instructions in the Word document to extract the contents from the Excel cells, researchers wrote. Next, the parent Word file “creates a new VBA module in the downloaded Excel file by writing the retrieved contents.”
Once the Excel macro is created and ready to execute, the script will modify the Windows’ RegKey to disable trust access for VBA on the victim’s machine. This allows the script to “execute the function seamlessly without any Microsoft Office warnings,” researchers wrote.
After disabling the trust access, a new Excel VBA is created and executed – triggering the download of Zloader.
“Malicious documents have been an entry point for most malware families and these attacks have been evolving their infection techniques and obfuscation, not just limiting to direct downloads of payload from VBA, but creating agents dynamically to download payload as we discussed in this blog,” researchers wrote. “We suggest it is safe to enable (macros) only when the document received is from a trusted source.”