Electronic mail Attack Uses Macros to Steal Desktop Shortcuts


The placement of malware through malicious Word documents is not new, even though the methods utilized by cybercriminals often modify. Now a fresh method of malware placement has been found, in which users are deceived into copying the malevolent payload.

The attack begins like a lot of other electronic mail-based attacks. The user should open an electronic mail and attachment and enable macro. The macro then hunts for usual desktop shortcuts, for example, Skype or Google Chrome. A matching malevolent file is then copied to the correct place from GitHub or Google Drive. That file has a suitably caring name like chrome_update.exe, and the route of the shortcut is altered.

The malware will then be executed when the user finally double clicks on the malevolent desktop shortcut. As soon as that occurs, the desktop shortcut will be altered back to its original target, so that the next time the user double clicks, the shortcut will open the right program.

As soon as the shortcut has been ticked the end user will likely be unconscious that a backdoor has been fitted. The malware generates a Windows facility called WPM Provider Host, which runs in the background and copies files onto the infested computer. As per Trend Micro, which found this new campaign, additional files copied to the appliance include genuine tools like WinRAR.

The malware then copies RAR records to the computer, which are opened using the copied WinRAR program. These copies are set to occur every hour until all needed files have been copied. The installer files are operated by the WPM Provider Host facility. The Ammyy Admin distant administration device is also fitted, giving the attacker distant access to the infested system.

Information is gathered from the infested system via dump files, which are compressed and exfiltrated through SMPT by linking to the mail server’s rambler.ru and meta.ua 

Established on the information gathered, and the point that some of the dump files generated by the malware were altered and upgraded, Trend Micro doubts that the malware is in the early phases of development and more versions will be issued at a later date.

Threat actors are continuously altering the methods they use to copy malevolent files and thieve confidential information because this uncommon method of attack shows. At this phase, there have been few sufferers and the campaign seems to have a restricted distribution, so far aiming users in Russia, even though that might well change.

Instructions are deactivated by default in Microsoft Office, so this attack method needs an end user to allow macros before the malevolent payload is copied and fitted.  Apart from an improved spam sieving solution to block malevolent electronic mails, one of the most effective methods of avoiding the installation of malware is through safety consciousness training. Workers must be taught to exercise care when opening electronic mails from unknown people, and never to enable macros in documents sent through electronic mail.