Cyber criminals continue to rapidly adapt and change to evade detection. Criminals are evading signature-based detection tools, including end-point anti-virus. McAfee reports a campaign by nefarious actors designed to distribute the Zloader trojan using another example of a benign Word macro. The attack begins with a phishing email containing a Word doc and attachment.

What Is Zloader?

 A previous Threat Report  discussed a campaign to distribute the IcedID trojan using an attack chain that began with a Microsoft Word document containing a macro, which itself contained no malicious code to evade detection. A recent report from researchers at McAfee details a campaign to distribute the Zloader trojan using a conceptually similar “benign” macro. Though the samples related to this campaign are four months older than those from the IcedID campaign. 

The attack chain is a multi-step process:

  • The target receives a phishing email containing a Microsoft Word document as an attachment.
  • If the user opens the Word document, they are presented with the expected message, advising them to enable content to view the document. This is the pre-requisite for allowing the macro to execute.
  • If the Word macro is permitted to run, it uses content from Visual Basic forms in the Word document to access a remote password protected Microsoft Excel (XLS) document. This XLS document is stored memory and not written to disk.
  • The Word macro uses content from the cells in the XLS document, to create a macro in the XLS document.
  • The Word macro then alters the Windows Registry so that no warnings will be issued for executing Office macros.
  • The Word macro then calls the macro created in the XLS document.
  • The XLS macro downloads the Zloader DLL file and executes it.

The aim of this process is to evade detection by signature-based detection tools, including endpoint anti-virus. It attempts to achieve this by breaking up the content of macros, particularly any commands which would be classed as suspicious or malicious. This content, including the URL to download the XLS document from, is stored in different locations, such as in values for combo boxes on VBA user forms. By doing this, the macro, which is stored in the Word document appears, at first glance, to contain no problematic content. Not writing the XLS document to disk is another evasion tactic.

The McAfee report describes this as a new technique, though the samples related to this campaign were first seen in late January 2021. Additionally, during research for this Threat Report, a report released by the Threat Research team at Hornetsecurity was found. This report, released in late March 2021, describes a very similar attack chain to that described here, which resulted in the downloading and execution of a Zloader DLL; however, the initial attachment was a MHTML document. This MHTML document was given a “doc” file extension, ensuring it would be opened by Microsoft Word, with the remainder of the attack chain and techniques matching those described above.

The fact these techniques are being described by research reports now, after being deployed since late January, suggests criminals are being successful at their intended purpose of signature-based detection systems. As a result, it can be expected, further variations on this theme will continue to be utilized by attackers, until they are forced to pivot to another technique to maintain the efficacy of attacks on their targets.

How Does It Propagate?

The malware does not contain the necessary code to self-propagate. This attack leverages social engineering, as the user must be convinced to allow the macro in the attached Microsoft Word document to run, in order for this attack to be successful.

When/How Did BluVector Detect It?

Two samples are publicly available and BluVector’s patented Machine Learning Engine (MLE) detected both. Regression testing has shown the samples would have been detected for an average of 52 months prior to their release. We detect threats that others don’t.