A recently discovered Microsoft Office loader uses malicious macros to drop multiple malware families, Palo Alto Networks security researchers warn.
More than 650 unique samples of this loader have been observed since initial detection in early December 2016, accounting for 12,000 malicious sessions targeting numerous industries. The loader, researchers say, is being delivered via email and employs heavily obfuscated malicious macros and a user account control (UAC) bypass technique to compromise targeted systems.
The roughly 12,000 phishing email runs distributing the loader used a variety of subject lines, claiming to be purchase orders, requests for quotation, purchase enquiries, and email verification notifications, among others. The attached malicious documents were masquerading as invoices, product lists, deposit slips, or document scans, and more.
High Tech, Professional and Legal Services, and Government were some of the most affected industries, Palo Alto Networks says. However, the distribution campaigns leveraging this loader have been targeting other sectors as well, including Wholesale, Telecoms, and Services.
Some of the malware families dropped using this loader included LuminosityLink, KeyBase, PredatorPain, Ancalog, Bartalex, Pony, and DarkComet.
“Based on the large amount of commodity malware families being dropped, as well as the wide distribution seen, this loader appears to primarily be used for widespread campaigns,” the security researchers say.
The loader uses malicious macros that have been obfuscated using a large amount of garbage code and randomly chosen variables, which led researchers to believe that a builder was used to generate them. The second part of the malicious macro, researchers say, includes not only garbage code, but also obfuscated strings and a number of strings written to the Word document and which are in-line with the ploy used by the attacker, based on the subject line and filename.
The first half of the macro, on the other hand, includes a function to decode the obfuscated strings, after which they are called with a PowerShell command. To decode the strings, the macro simply removes characters present within a blacklist string. However, researchers say that only about half of the samples contained decoy information.
One of the decoded functions was meant to download a payload via PowerShell and then drop it within the %TEMP% directory. The macro would also create a registry key to point to the dropped file, while also abusing Windows Event Viewer to bypass UAC and elevate its privileges. The dropped file is then removed.
The UAC bypass was first detailed in August 2016, and was recently used in various campaigns, including some focused on the distribution of ransomware.
A small set of samples used the built-in BITSAdmin tool instead of PowerShell to download the malware. The technique was associated with 11 samples that were spotted in early December, when the loader first appeared. However, the attackers switched to PowerShell.
“Overall, this new loader is interesting in its use of performing a UAC bypass. Additionally, the widespread use of this loader since December of last year shows that it is being used in numerous campaigns. It is unclear if this loader is being used by one or more groups. Multiple industries have been targeted by this loader, which has been used to deploy multiple malware families,” Palo Alto researchers conclude.
Related: Macro Malware Comes to macOS