July 26, 2018 By Douglas Bonderud 2 min read

A new encrypted downloader is using old-school macro attacks to gain backdoor access.

Threat actors are now pairing new encryption with old macros to subvert system processes and enable backdoor device access, according to a June 2018 IBM X-Force threat advisory. This age-old threat vector is still lucrative for cybercriminals, as evidenced by a December 2017 McAfee Labs report that detected 1.2 million pieces of active macro malware in the third quarter of 2017.

But with organizations increasingly aware of dangerous document risks, threat actors are upping the ante.

A Targeted Macro Malware Attack?

The new malware, identified as GZipDe, leverages a recent report about the Shanghai Cooperation Organization (SCO) Summit held in Qingdao, China. Researchers from AlienVault noted that the threat actors copied part of the report into an email and then “protected” the rest — prompting recipients to enable macros if they wanted to view the entire document.

While there’s no clear victim profile here, Chris Doman, security researcher at AlienVault, told Bleeping Computer in June 2018 that the attack appears to be targeted.

“Given the decoy document is in English and uploaded from Afghanistan, it may have been targeting someone in an embassy or similar there,” Doman told the publication.

How Threat Actors Are Taking Macro Malware to the Next Level

The original payload is available on GitHub, but the attackers raised the stakes by adding a new encrypted downloader to GZipDe before launching their malware attacks. The researchers noted that this encrypted .NET tool both improves antivirus evasion and clouds process memory, making it easier for cybercriminals to install device backdoors.

Malware in the document itself, meanwhile, executes a stored hexadecimal stream Virtual Basic script along with a hidden PowerShell process.

Next, a new obfuscated memory page is launched that includes execute, read and write privileges. This tactic allows attackers to decrypt and execute their malware payload, a Metasploit backdoor and Meterpreter tool able to “gather information from the system and contact the command and control server to receive further commands.”

The Metasploit shellcode lets attackers run their dynamic link library (DLL) completely in-memory. This means it won’t write any information to disk, making it harder to track down an attack in progress.

Why You Should Disable Macros by Default

New encrypted downloader or not, organizations and individual users should disable macros by default to protect devices from this type of malware.

Security experts suggest alternatives to enabling macros, such as:

  • Asking questions: Security leaders should encourage employees to ask questions if they’re unsure whether they should enable macros on a document and make them feel comfortable reporting suspicious messages and files. Fostering a positive security culture is key to making employees an organization’s first line of defense against cyberthreats.
  • Deploying behavioral analytics: While encryption may obfuscate processes and limit total visibility, building in behavior-based detection tools can help security teams identify anomalous activity sooner rather than later.

Sources: McAfee Labs, AlienVault, Bleeping Computer

More from

SoaPy: Stealthy enumeration of Active Directory environments through ADWS

10 min read - Introduction Over time, both targeted and large-scale enumeration of Active Directory (AD) environments have become increasingly detected due to modern defensive solutions. During our internship at X-Force Red this past summer, we noticed FalconForce’s SOAPHound was becoming popular for enumerating Active Directory environments. This tool brought a new perspective to Active Directory enumeration by performing collection via Active Directory Web Services (ADWS) instead of directly through Lightweight Directory Access Protocol (LDAP) as other AD enumeration tools had in the past.…

Smoltalk: RCE in open source agents

26 min read - Big shoutout to Hugging Face and the smolagents team for their cooperation and quick turnaround for a fix! Introduction Recently, I have been working on a side project to automate some pentest reconnaissance with AI agents. Just after I started this project, Hugging Face announced the release of smolagents, a lightweight framework for building AI agents that implements the methodology described in the ReAct paper, emphasizing reasoning through iterative decision-making. Interestingly, smolagents enables agents to reason and act by generating…

4 ways to bring cybersecurity into your community

4 min read - It’s easy to focus on technology when talking about cybersecurity. However, the best prevention measures rely on the education of those who use technology. Organizations training their employees is the first step. But the industry needs to expand the concept of a culture of cybersecurity and take it from where it currently stands as an organizational responsibility to a global perspective.When every person who uses technology — for work, personal use and school — views cybersecurity as their responsibility, it…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today