Spear phishers abuse Word programming feature to infect targets

Share this article:
Agents with a state online health insurance exchange in Minnesota may have had data compromised.
Hackers abused Microsoft's Visual Basic for Applications (VBA) to rig email attachments, Cisco reveals.

An attack group with a penchant for high-profit businesses, including those in the banking, oil and entertainment industries, is using a spear phishing campaign to target victims, Cisco warns.

Craig Williams, technical leader of Cisco's Threat Research Analysis and Communications (TRAC) team, delved into attackers' exploits in a Monday blog post. According to Williams, the group lures targets with malicious emails crafted to look like business invoices.

Those who take the bait, or phishing emails crafted for specific company members, download malware via a malicious Microsoft Word attachment. When opened, the file is rigged to download a malicious executable, Williams wrote. The malware contacts several domains during this process, including a Dropbox cloud-based file-sharing service, where attackers host malware payloads.

In email correspondence with SCMagazine.com, Williams explained that hackers leveraged a Microsoft programming language, Visual Basic for Applications, to lay their trap.

“This is really an abused feature,” Williams said. “The attacks are using Visual Basic Scripting for Applications to cause an On-Open macro to fire when the victim opens the Word document. This will result in downloading an executable and launching it on the victim's machine. It's quite an old technique,” he added.

Along with the Dropbox url, other domains the malware contacted, such as londonpaerl.co.uk (a close match for legitimate site, londonpearl.co.uk), were used to host backdoors, though Cisco blocked the malware from its clients.

According to Williams, Cisco thwarted attacks from the group throughout May and June, though the majority of attacks occurred last month.

The spear phishing campaign has, so far, targeted organizations in Europe, Williams wrote, adding that hackers were likely motivated by “monetary gain.”

Next week, Cisco plans to divulge more information on the group's exploits, specifically the malware used by attackers and their obfuscation techniques, the company blog post said.

Share this article:

Sign up to our newsletters

More in News

Report: UK police push for required mobile phone PWs

The Metropolitan Police have reportedly lobbied for two years to enact the standard.

JPMorgan Chase customers targeted in massive phishing campaign

JPMorgan Chase customers targeted in massive phishing campaign

Roughly 500,000 emails have been sent out so far as part of a massive multifaceted phishing campaign targeting customers of JPMorgan Chase.

Study: Organizations lack training, budget to thwart insider threats

Study: Organizations lack training, budget to thwart insider ...

Of the 355 IT and security professionals surveyed, a majority indicated that they were ill-equipped to thwart a possible insider threat.