New Zloader malware technique makes it harder to spot phishing emails

The novel distribution technique involves sending Word documents that may bypass conventional malware scanning

Hackers have been discovered using a new phishing technique that involves using a sequence of chained commands to hide malicious content and make email attachments appear harmless to filters.

The technique involves send a phishing email containing a seemingly innocuous Microsoft Word attachment, according to McAfee. Once opened, it triggers a chain of events that eventually downloads the payload for the infamous banking and data exfiltration malware, known as Zloader.

The fact that the document isn't embedded with any malicious code will make it easier for phishing emails to bypass initial checks and malware scanners.

Researchers have noted that users are only susceptible to infection if macros are enabled, which the phishing attack will use to trigger a series of commands once the Word document is opened.

Macros are disabled by default in Microsoft Office, so the Word document itself contains a lure designed to trick users into enabling macros, claiming that if they don’t, the file won’t load correctly.

When the Word document opens, and macros are enabled, the document downloads and opens another password-protected Microsoft Excel file from a remote server.

The Word document contains combo box components that store the content required to connect to the remote Excel document, including the Excel object, URL, and password required to open the file. The URL is stored in the combo box in the form of broken strings, which are combined later to form a complete string.

The code then attempts to download and open the Excel file stored in the malicious domain. After extracting the contents from the Excel cells, the Word file creates a Visual Basic for Applications (VBA) module in the downloaded Excel file by writing the retrieved contents. It, essentially, retrieves the cell contents and writes them to XLS macros.

Once the macro is formed and ready, it modifies a RegKey to disable trust access for VBA on the victim’s device in order to execute the malicious function without any Microsoft Office warnings. After writing macro contents to the Excel file, and disabling trust access, a function from the newly written excel VBA is called which downloads the Zloader payload.

“Malicious documents have been an entry point for most malware families and these attacks have been evolving their infection techniques and obfuscation, not just limiting to direct downloads of payload from VBA, but creating agents dynamically to download payload,” McAfee’s researchers Kiran Raj and Kishan N wrote.

Related Resource

X-Force Threat Intelligence Index

Top security threats and recommendations for resilience

Transparent cube against a black background - whitepaper from IBMFree download

“Usage of such agents in the infection chain is not only limited to Word or Excel, but further threats may use other living off the land tools to download its payloads. Due to security concerns, macros are disabled by default in Microsoft Office applications. We suggest it is safe to enable them only when the document received is from a trusted source.”

The operators of the Zloader malware are notorious for finding increasingly innovative ways of spreading their banking Trojan. The malware was found to be present in 100 coronavirus-related email campaigns as of the first half of 2020. Zloader was also hiding within encrypted Excel documents, according to research published in March this year, with its operators overseeing invoice-related spam campaigns.

Featured Resources

How virtual desktop infrastructure enables digital transformation

Challenges and benefits of VDI

Free download

The Okta digital trust index

Exploring the human edge of trust

Free download

Optimising workload placement in your hybrid cloud

Deliver increased IT agility with the cloud

Free Download

Modernise endpoint protection and leave your legacy challenges behind

The risk of keeping your legacy endpoint security tools

Download now

Recommended

Education and government most at risk from email threats
phishing

Education and government most at risk from email threats

26 Nov 2021
Attackers use CSS to fool anti-phishing systems
phishing

Attackers use CSS to fool anti-phishing systems

11 Nov 2021
Hackers could use new Wslink malware in highly targeted cyber attacks
malware

Hackers could use new Wslink malware in highly targeted cyber attacks

1 Nov 2021
FBI raids Chinese POS business following cyber attack claims
malware

FBI raids Chinese POS business following cyber attack claims

27 Oct 2021

Most Popular

How to boot Windows 11 in Safe Mode
Microsoft Windows

How to boot Windows 11 in Safe Mode

6 Jan 2022
How to speed up Windows 11
Microsoft Windows

How to speed up Windows 11

7 Jan 2022
Synology DiskStation DS2422+ review: A cube of great capacity
network attached storage (NAS)

Synology DiskStation DS2422+ review: A cube of great capacity

10 Jan 2022