The use of macros by hackers is mitigated by the fact they’ve been disabled by default since the release of Office 2007. But Cisco researchers said the language and spoofed senders in the phishing emails accompanying the targeted attacks could be enough to convince a potential victim to enable macros and execute the attack.
“In this case, they’re impersonating a legitimate business. If the message is convincing enough, they could lower their guard and enable macros if they believe doing so will fully render a document or allow them to see the encoding of images a document may contain,” said Cisco Talos threat researcher Alex Chiu. “We’ve seen these techniques used with several targeted Dridex campaigns. They’re taking techniques that are old, and in this case, making them useful again.”
The use of AutoIt is not only unique, but effective in allowing the attackers to evade detection. AutoIt is a legitimate IT administration tool and could be whitelisted in many enterprises. In the case of this particular campaign, the victim is urged to enable macros on a Word document that pretends to be from a legitimate business. Once the victim executes the attack, it reaches out to hxxp://frontlinegulf[.]com/tmp/adobefile.exe where it downloads a binary. The payloads change regularly Cisco said. AutoIt was one such payload, downloaded in a self-extracting archive. In addition to AutoIt, a 600MB AutoIt script was downloaded from the archive that included antianalysis checks, payload decryption, malware installation and persistence mechanisms. The script also installed either the Cybergate RAT, NanoCore RAT, or the Parite worm.
The RATs were used against a small number of organizations, Chiu said. The large AutoIt script would likely evade antivirus or intrusion detection systems that have file-size limits. Chiu said too that it looks for a particular antivirus installation and if detected, it sleeps for a defined period of time before executing. Once it does execute, it tries to disable Windows User Access Control (UAC) in order to establish persistence on the machine and continue decrypting its payload.
“Adversaries are using legitimate freeware to fly under the radar,” Chiu said. “It can hide as white noice because it appears as a management task.” Chiu said it’s unknown whether the targeted organizations already were using AutoIt in their environments.
As for the RATs, NanoCore was spotted in attacks against energy companies in Asia and the Middle East before earlier this year, source code for the RAT and its premium plugins was leaked online making it widely accessible. Cybergate, meanwhile, has been available for years online and is considered easy to setup and use.
In January, Microsoft warned companies of a spike in macro-enabled malware. It said in December attacks peaked at fewer than 8,000 a day for a short time. Like the current campaign spotted by Cisco, victims were enticed to enable macros and were ultimately infected by either the Ardnel or Tarbir downloader that grabbed any variety of malware from there.