Incident Response, Malware, TDR

Spear phishers abuse Word programming feature to infect targets

An attack group with a penchant for high-profit businesses, including those in the banking, oil and entertainment industries, is using a spear phishing campaign to target victims, Cisco warns.

Craig Williams, technical leader of Cisco's Threat Research Analysis and Communications (TRAC) team, delved into attackers' exploits in a Monday blog post. According to Williams, the group lures targets with malicious emails crafted to look like business invoices.

Those who take the bait, or phishing emails crafted for specific company members, download malware via a malicious Microsoft Word attachment. When opened, the file is rigged to download a malicious executable, Williams wrote. The malware contacts several domains during this process, including a Dropbox cloud-based file-sharing service, where attackers host malware payloads.

In email correspondence with SCMagazine.com, Williams explained that hackers leveraged a Microsoft programming language, Visual Basic for Applications, to lay their trap.

“This is really an abused feature,” Williams said. “The attacks are using Visual Basic Scripting for Applications to cause an On-Open macro to fire when the victim opens the Word document. This will result in downloading an executable and launching it on the victim's machine. It's quite an old technique,” he added.

Along with the Dropbox url, other domains the malware contacted, such as londonpaerl.co.uk (a close match for legitimate site, londonpearl.co.uk), were used to host backdoors, though Cisco blocked the malware from its clients.

According to Williams, Cisco thwarted attacks from the group throughout May and June, though the majority of attacks occurred last month.

The spear phishing campaign has, so far, targeted organizations in Europe, Williams wrote, adding that hackers were likely motivated by “monetary gain.”

Next week, Cisco plans to divulge more information on the group's exploits, specifically the malware used by attackers and their obfuscation techniques, the company blog post said.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.