Researchers from Mcafee has discovered a new technique that downloads and executes the Zloader DLL without any malicious code present in the initial spammed attachment(MS Word) during the phishing activity.

While phishing is the common technique to get initial access to the target machine, now attackers have evolved and added one more technique to their arsenal to evade the detections from security controls.

Source : Mcafee

The malware arrives through a phishing email containing a Microsoft Word document as an attachment. When the document is opened and macros are enabled, the Word document, in turn, downloads and opens another password-protected Microsoft Excel document” reads the blog.

Once the XLS file is downloaded, VBA from Word reads cell contents from the downloaded XLS file and then creates the new macro inside the same file and writes back the cell contents as a function inside the XLS Macro.

Interestingly, the initial MS Word document modifies the windows registry(HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Excel\Security\AccessVBOM) to disable the XLS file Macro warning and execute the malicious macro function in the same file.

Different TTP’s used by this malware includes: “

  • E-mail Spear Phishing (T1566.001): Phishing acts as the main entry point into the victim’s system where the document comes as an attachment and the user enables the document to execute the malicious macro and cause infection. This mechanism is seen in most of the malware like Emotet, Drixed, Trickbot, Agenttesla, etc.
  • Execution (T1059.005): This is a very common behavior observed when a malicious document is opened. The document contains embedded malicious VBA macros which execute code when the document is opened/closed.
  • Defense Evasion (T1218.011): Execution of signed binary to abuse Rundll32.exe and to proxy execute the malicious code is observed in this Zloader variant. This tactic is now also part of many others like Emotet, Hancitor, Icedid, etc.
  • Defense Evasion (T1562.001): In this tactic, it Disables or Modifies security features in Microsoft Office document by changing the registry keys. ” reads the blog

Cyberworkx news readers can can download the IOC’s from this link.

–-For more Cyber security news in crisp content . Please follow our site via twitter handle @cyberworkx1

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s