Email Attack Utilizes Macros to Hijack Desktop Shortcuts

July 14, 2018

 

The placement of malware through malevolent Word documents is not new, even though the methods used by cybercriminals frequently modify. Now a new technique of malware placement has been found, in which users are deceived into downloading the malevolent payload.

The attack begins like several other email-based attacks. The user should open an electronic mail and attachment as well as enable macros. The macro then hunts for usual desktop shortcuts like Skype or Google Chrome. A corresponding malevolent file is then downloaded to the proper place from Google Drive or GitHub. That file has a properly benign name like chrome_update.exe, and the path of the shortcut is modified.

The malware will then be carried out when the user finally double clicks on the malevolent desktop shortcut. When that occurs, the desktop shortcut will be altered back to its initial target, so that the next time the user double clicks, the shortcut will start the right program.

When the shortcut has been ticked the end user will probably be unconscious that a backdoor has been connected. The malware generates a Windows service called WPM Provider Host, which operates in the background and downloads files onto the infected computer. As per Trend Micro, which recognized this new crusade, more files downloaded to the appliance contain genuine tools such as WinRAR.

The malware then downloads RAR records to the computer, which are emptied using the transferred WinRAR program. These transfers are set to happen every hour until all needed files have been transferred. The installer files are operated by the WPM Provider Host service. The Ammyy Admin distant administration tool is also connected, providing the attacker distant access to the infested system.

Information is gathered from the infested system via dump files, which are condensed and exfiltrated through SMPT by linking to the mail servers’ rambler.ru and meta.ua 

Established on the information gathered, and the fact that some of the dump files generated by the malware were altered and updated, Trend Micro doubts that the malware is in the early phases of development and additional varieties will be issued at a later date.

Threat actors are continuously altering the procedures they use to download malevolent files and thieve confidential information, as this uncommon technique of attack demonstrates. At this phase, there have been few sufferers and the campaign seems to have a restricted distribution, thus far targeting users in Russia, even though that might well change.

Macros are deactivated by default in Microsoft Office, so this attack method needs an end user to allow macros before the malevolent payload is downloaded and fitted.  Apart from an innovative spam filtering solution to obstruct malevolent electronic mails, among the most effective methods of avoiding the fitting of malware is via safety consciousness training. Workers must be trained to exercise care when opening electronic mails from unknown people, and never to allow macros in documents sent through electronic mail.