New Zloader malware technique makes it harder to spot phishing emails

Graphic representing phishing with a hacker stealing data from one computer to anotheri
(Image credit: Shutterstock)

Hackers have been discovered using a new phishing technique that involves using a sequence of chained commands to hide malicious content and make email attachments appear harmless to filters.

The technique involves send a phishing email containing a seemingly innocuous Microsoft Word attachment, according to McAfee. Once opened, it triggers a chain of events that eventually downloads the payload for the infamous banking and data exfiltration malware, known as Zloader.

The fact that the document isn't embedded with any malicious code will make it easier for phishing emails to bypass initial checks and malware scanners.

Researchers have noted that users are only susceptible to infection if macros are enabled, which the phishing attack will use to trigger a series of commands once the Word document is opened.

Macros are disabled by default in Microsoft Office, so the Word document itself contains a lure designed to trick users into enabling macros, claiming that if they don’t, the file won’t load correctly.

When the Word document opens, and macros are enabled, the document downloads and opens another password-protected Microsoft Excel file from a remote server.

The Word document contains combo box components that store the content required to connect to the remote Excel document, including the Excel object, URL, and password required to open the file. The URL is stored in the combo box in the form of broken strings, which are combined later to form a complete string.

The code then attempts to download and open the Excel file stored in the malicious domain. After extracting the contents from the Excel cells, the Word file creates a Visual Basic for Applications (VBA) module in the downloaded Excel file by writing the retrieved contents. It, essentially, retrieves the cell contents and writes them to XLS macros.

Once the macro is formed and ready, it modifies a RegKey to disable trust access for VBA on the victim’s device in order to execute the malicious function without any Microsoft Office warnings. After writing macro contents to the Excel file, and disabling trust access, a function from the newly written excel VBA is called which downloads the Zloader payload.

“Malicious documents have been an entry point for most malware families and these attacks have been evolving their infection techniques and obfuscation, not just limiting to direct downloads of payload from VBA, but creating agents dynamically to download payload,” McAfee’s researchers Kiran Raj and Kishan N wrote.


X-Force Threat Intelligence Index

Top security threats and recommendations for resilience


“Usage of such agents in the infection chain is not only limited to Word or Excel, but further threats may use other living off the land tools to download its payloads. Due to security concerns, macros are disabled by default in Microsoft Office applications. We suggest it is safe to enable them only when the document received is from a trusted source.”

The operators of the Zloader malware are notorious for finding increasingly innovative ways of spreading their banking Trojan. The malware was found to be present in 100 coronavirus-related email campaigns as of the first half of 2020. Zloader was also hiding within encrypted Excel documents, according to research published in March this year, with its operators overseeing invoice-related spam campaigns.

Keumars Afifi-Sabet

Keumars Afifi-Sabet is a writer and editor that specialises in public sector, cyber security, and cloud computing. He first joined ITPro as a staff writer in April 2018 and eventually became its Features Editor. Although a regular contributor to other tech sites in the past, these days you will find Keumars on LiveScience, where he runs its Technology section.