Security Experts:

Connect with us

Hi, what are you looking for?



Attacks Against Banks Leverage Macros, PowerShell

A series of attacks carried out against banks in the Middle East in early May were using unique scripts that are not commonly seen in crimeware campaigns, researchers at FireEye warn.

A series of attacks carried out against banks in the Middle East in early May were using unique scripts that are not commonly seen in crimeware campaigns, researchers at FireEye warn.

The attacks were carried out via emails containing macro-enabled Microsoft Excel files sent to bank employees. According to FireEye, the emails were targeted, with one such message supposedly containing the conversation between several employees and the contact details of employees from several banks.

When run, the malicious macro extracts base64-encoded content a worksheet, then checks for the presence of %PUBLIC%Libraries update.vbs and creates three directories under %PUBLIC%Libraries, should the file be missing. The initially extracted content is then decoded using PowerShell and dropped into %PUBLIC%Librariesupdate.vbs and %PUBLIC%Librariesdns.ps1. Next, the macro creates the GoogleUpdateTaskMachineUI scheduled task that executes update.vbs every three minutes.

FireEye’s researchers also observed that additional content was displayed after the macro executed successfully – a social engineering technique meant to convince victims that the macro was legitimately revealing additional spreadsheet data. Usually, no additional content is displayed after enabling the macros, but the attackers took the extra step in this campaign, in an attempt to eliminate possible suspicion.

After the initial step has been successfully completed and the scheduled task created, a dropped VBScript called update.vbs is launched every three minutes. The VBScript leverages PowerShell to download content from a specific URL, including a BAT file. The BAT file is then executed, with the results saved in directory and then uploaded to the server. 

Using PowerShell to evade detection is not unheard of in such attacks, and FireEye also observed that a customized version of Mimikatz, a publicly available tool that has been used in other campaigns too, was downloaded on compromised machines as well. The utility can be used by cybercriminals to recover plaintext passwords from memory.

In this specific attack, researchers say that the aforementioned BAT file was used to collect information from the compromised systems, including the currently logged on user, hostname, network configuration data, user and group accounts, local and domain administrator accounts, running processes, and other data.

The PowerShell script dns.ps1 dropped by the macro during the first step of infection is executed for data exfiltration via DNS queries, most probably because DNS is required for normal network operations and is unlikely to be blocked, thus allowing free communication out of the network, researchers say.

The script receives instructions from the command and control server, including an ID that is saved into the PowerShell script. The script uploads the gathered data to the DNS server by embedding file data into part of the subdomain, and it is invoked each time a scheduled task runs.

FireEye researchers note that the most interesting aspect of this attack was the use of different components to perform reconnaissance activities on a specific target, even if no zero-days or other advanced techniques were leveraged. Moreover, the attack proves that macro malware continues to be highly effective and that users should not enable Office macros for documents coming from unknown sources, even if these documents are from seemingly trusted sources.

Related: Macro Malware Makes Improvements on Hiding Malicious Code

Related: Macro Malware Dridex, Locky Using Forms to Hide Code

Written By

Click to comment

Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


Video games developer Riot Games says source code was stolen from its development environment in a ransomware attack


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.


Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.