Sunnyvale, Calif.-based security firm Proofpoint discovered a sharply focused email-based campaign attacking a major financial service provider with a small number of malicious emails sent to users in a single organization.
Additionally, the emails included a Microsoft Word attachment that used an embedded object rather than macros to avoid detection; the embedded object was also highly obfuscated. Also, the payload was an unidentified keylogger hardcoded to send logs from infected computers to two Gmail addresses.
Proofpoint recommends all organizations, including credit unions and other financial institutions, stay aware of this newest attack method.
“While the use of embedded objects instead of macros is not new, malicious macros remain the vector of choice for most threat actors at this time. However, we expect that this technique will become more popular in 2017,” Danny Howerton, threat analyst Proofpoint said in the blog.
Proofpoint in its technical analysis of the attack showed how emails sent in this attack included a Microsoft Word attachment, named “info.doc.” The document contained an image requesting users click install Microsoft Silverlight to view the content. Closer examination revealed no macros in this document, but rather a packager shell object. Right-clicking on the image reveals that it is an embedded object instead of just a linked figure.
A memory dump of the malware process revealed a network request to http[:]//icanhazip[.]com, which allows the malware to identify the public IP address of the infected machine, and the occurrence of “GetAsyncKeyState,” a Windows API used frequently by keyloggers to identify keyboard keys pressed by the user. The malware also used Gmail’s SMTP server to send these logs to two hardcoded Gmail addresses.
“To date, we have not identified this particular keylogger,” Proofpoint explained. What is known, AutoIt is its script language and it uses additional tools such as the Lazagne password recovery tool it downloads from hxxp://0v3rfl0w[.]com. The infection vectors are of greater interest at this point and the functions of the malware itself are fairly straightforward.
“As threat actors move beyond the use of malicious macros, organizations will need to rethink how they prevent malicious content from reaching end users,” Proofpoint warned.
While many organizations are either blocking Microsoft Office macros at a policy level or educating users about the dangers of enabling macro content, the security firm suggested attackers have other means of creating weaponized documents for distributing malware: in this case, an embedded Visual Basic script in a Microsoft Word document with a keylogger payload.
