Go to listing page

ZLoader Devises New Attack Method to Disable Macro Security Warnings

ZLoader Devises New Attack Method to Disable Macro Security Warnings
ZLoader, the malware loader that is often associated with the Zeus banking trojan since 2016, has devised an innovative way to bypass macro security warnings in Microsoft Office documents. This technique is used to download and execute malicious code, without raising any security flags.

What has been observed?

According to the researchers from McAfee Labs, the attackers first download a non-malicious document on the target systems and then use it to disable the security warnings.
  • The infection map indicates that North America is the most impacted.
  • The attack begins with a phishing email that carries a non-malicious Microsoft Word document as an attachment. Unsuspecting users enable macros for this file when they try to open it, which triggers the download of an Excel file.
  • The Word document VBA reads the content of this Excel file and proceeds to write them to XLS VBA as macros.
  • After writing the macros for the Excel file, the Word document updates Excel’s security policies to disable the Excel Macro warning, and then dynamically calls the malicious macro function.
  • The execution of this malicious Excel macro ultimately downloads the Zloader payload, which is then executed by rundll32.exe.

Recent attacks by ZLoader

Attackers have been doing similar attack experiments with Microsoft Office macros to distribute ZLoader malware in the recent past.
  • A few months ago attackers were seen abusing Excel 4.0 Macros, a legacy scripting language that was deprecated long ago. However, recent versions of Microsoft Office continue to support this scripting language to maintain backward compatibility.
  • In March, researchers observed instances of invoice flavored campaigns which implemented an advanced infection chain. The attacks relied on special data exchange tactics between various Microsoft Office document formats, creating a complex chain of events.

Concluding note

The use of malicious macros is not new, but the innovation exhibited by ZLoader attackers sets them apart. The dynamic creation of agents in the infection chain has the potential to give rise to further threats in the near future by leveraging other living-off-the-land tools.

Cyware Publisher

Publisher

Cyware