XML Files Containing Tainted Macros Help Spread Malware
Trustwave the security company cautions that cyber-criminals are cashing in on infected macros concealed within Extensible Markup Language (XML) files as they attempt spreading malicious software.
During the 1st-week of March this year (2015), researchers at Trustwave intercepted one spam campaign involving bulk e-mails containing a “remittance advice” attachment which supposedly arrived from different businesses. In those e-mails, recipients were directed to viewing the attachment that was actually one Word file labeled as XML.
To open and view the file, Microsoft Word would launch and if macros on the device were turned on, a malevolent code written with VBA (Visual Basic for Applications) became active.
When turned on, the disguised macros pulled down Trojan Dridex via a remote server. Dridex filches banking details as soon as the victim signs into an Internet-based bank account. The Trojan waits on the computer until a targeted bank or credit card company website is logged into, it then inserts HTML into the site which directs the victim to give additional information such as a card verification value (CVV), expiry date of the card, and social security number (SSN).
Threat Intelligence Manager Karl Sigler at Trustwave says the use of XML documents as bait has never happened before. With regards to macros, they have been automatically turned off from the time Office 2007 was released. Threatpost.com published this, March 6, 2015.
Sigler continues that occasionally local ‘admins’ within large organizations possess the capability for enabling macros. While a few companies often use them, the practice isn’t common. Usually, the default Word settings for macros are left off. The reason why the cyber-criminals have used XML is difficult to understand. Possibly they are hunting one fresh attack vector after not receiving adequate click-through successes using spreadsheet files. Possibly they weren’t acquiring users who would enable macros in the manner they desired so they are trying another method for improving their success exploitation rates.
However, to remain safe from the spam run, it’s urged that end-users don’t view unsolicited spam messages as well as avoid viewing unexpected file attachments since they may be malware-tainted.