Managed security service provider Trustwave’s SpiderLabs has detected a new malware tactic that relies on users opening Microsoft Word documents but doesn’t use social engineering to enable macro scripts typically deployed. The new macro-free malware is out there and active, SpiderLabs researchers said in a blog post.
“Malware authors often distribute malware through code macros in Microsoft Office documents such as Word, Excel, or PowerPoint,” said Homer Pacag, a Trustwave malware analyst and tools developer. Typically, macros are executed when a user opens the file. Despite malware warnings from Office apps, the user may still elect to unknowingly open the infected file.
But this is something quite apart. “The sample we look at today takes a longer, macro-less approach,” said Pacag. An email spam campaign SpiderLabs has been monitoring downloads a password stealer as its final payload in a four-stage infection process that begins once the user has opened the attachment, he said.
Here’s what actually happens: The exploitation relies on a large number of resources, such as DOCX, RTF, HTA, VBScript, and PowerShell. (via BleepingComputer)
The malware approach isn't typical, Trustwave says.
“It's pretty unusual to find so many stages and vectors being used to download malware,” wrote Pacag. “Indeed, this approach can be very risky for the malware author. If any one stage fails, it will have a domino effect on the whole process,” he said. Pacag pointed out that the attack uses file types (DOCX, RTF and HTA), that are not often blocked by email or network gateways contrary to the “more obvious” scripting languages such as VBS, JScript or WSF.
