New Zloader malware technique makes it harder to spot phishing emails

The novel distribution technique involves sending Word documents that may bypass conventional malware scanning

Hackers have been discovered using a new phishing technique that involves using a sequence of chained commands to hide malicious content and make email attachments appear harmless to filters.

The technique involves send a phishing email containing a seemingly innocuous Microsoft Word attachment, according to McAfee. Once opened, it triggers a chain of events that eventually downloads the payload for the infamous banking and data exfiltration malware, known as Zloader.

The fact that the document isn't embedded with any malicious code will make it easier for phishing emails to bypass initial checks and malware scanners.

Researchers have noted that users are only susceptible to infection if macros are enabled, which the phishing attack will use to trigger a series of commands once the Word document is opened.

Macros are disabled by default in Microsoft Office, so the Word document itself contains a lure designed to trick users into enabling macros, claiming that if they don’t, the file won’t load correctly.

When the Word document opens, and macros are enabled, the document downloads and opens another password-protected Microsoft Excel file from a remote server.

The Word document contains combo box components that store the content required to connect to the remote Excel document, including the Excel object, URL, and password required to open the file. The URL is stored in the combo box in the form of broken strings, which are combined later to form a complete string.

The code then attempts to download and open the Excel file stored in the malicious domain. After extracting the contents from the Excel cells, the Word file creates a Visual Basic for Applications (VBA) module in the downloaded Excel file by writing the retrieved contents. It, essentially, retrieves the cell contents and writes them to XLS macros.

Once the macro is formed and ready, it modifies a RegKey to disable trust access for VBA on the victim’s device in order to execute the malicious function without any Microsoft Office warnings. After writing macro contents to the Excel file, and disabling trust access, a function from the newly written excel VBA is called which downloads the Zloader payload.

“Malicious documents have been an entry point for most malware families and these attacks have been evolving their infection techniques and obfuscation, not just limiting to direct downloads of payload from VBA, but creating agents dynamically to download payload,” McAfee’s researchers Kiran Raj and Kishan N wrote.

Related Resource

X-Force Threat Intelligence Index

Top security threats and recommendations for resilience

Transparent cube against a black background - whitepaper from IBMDownload now

“Usage of such agents in the infection chain is not only limited to Word or Excel, but further threats may use other living off the land tools to download its payloads. Due to security concerns, macros are disabled by default in Microsoft Office applications. We suggest it is safe to enable them only when the document received is from a trusted source.”

The operators of the Zloader malware are notorious for finding increasingly innovative ways of spreading their banking Trojan. The malware was found to be present in 100 coronavirus-related email campaigns as of the first half of 2020. Zloader was also hiding within encrypted Excel documents, according to research published in March this year, with its operators overseeing invoice-related spam campaigns.

Featured Resources

B2B under quarantine

Key B2C e-commerce features B2B need to adopt to survive

Download now

The top three IT pains of the new reality and how to solve them

Driving more resiliency with unified operations and service management

Download now

The five essentials from your endpoint security partner

Empower your MSP business to operate efficiently

Download now

How fashion retailers are redesigning their digital future

Fashion retail guide

Download now

Recommended

New malware uses search engine ads to target pirate gamers
malware

New malware uses search engine ads to target pirate gamers

21 Jul 2021
X-rated phishing attacks just keep growing
phishing

X-rated phishing attacks just keep growing

4 Jun 2021
Nigerian cyber criminals target Texas unemployment system
cyber security

Nigerian cyber criminals target Texas unemployment system

27 May 2021
Hackers use open source Microsoft dev platform to deliver trojans
Security

Hackers use open source Microsoft dev platform to deliver trojans

14 May 2021

Most Popular

The benefits of workload optimisation
Sponsored

The benefits of workload optimisation

16 Jul 2021
RMIT to be first Australian university to implement AWS supercomputing facility
high-performance computing (HPC)

RMIT to be first Australian university to implement AWS supercomputing facility

28 Jul 2021
Samsung Galaxy S21 5G review: A rose-tinted experience
Mobile Phones

Samsung Galaxy S21 5G review: A rose-tinted experience

14 Jul 2021