Macro-based malware – Computer Security Articles

Credit to Author: msft-mmpc| Date: Mon, 20 Mar 2017 12:50:12 +0000

Tax-themed scams and social engineering attacks are as certain as (death or) tax itself. Every year we see these attacks, and 2017 is no different. These attacks circulate year-round as cybercriminals take advantage of the different country and region tax schedules, but they peak in the months leading to U.S. Tax Day in mid-April. Cybercriminals are using a variety of…

Microsoft Security

January 23, 2017 admin

Been shopping lately? Fake credit card email can spook you into downloading Cerber ransomware

As the shopping sprees become increasingly frenetic during holiday season, it’s hard not to worry about how much credit card debt we’re piling. Some of us rely on email notifications from our banks to track the damage to our finances. So what happens when we suddenly get notified about charges for things we never bought?…

Microsoft Security

January 23, 2017 admin

No slowdown in Cerber ransomware activity as 2016 draws to a close

As everybody else winds down for the holidays, the cybercriminals behind Cerber are busy ramping up their operations. Following our discovery of a spam campaign that takes advantage of holiday shopping, we found two new campaigns that continue distributing the latest variants of Cerber ransomware. These campaigns are the latest in a series of persistent cybercriminal…

Microsoft Security

January 23, 2017 admin

Office 2013 can now block macros to help prevent infection

In response to the growing trend of macro-based threats, a new feature in Office 2016 allows an enterprise administrator to block users from running macros in Office documents that originated from the Internet. This feature was documented back in March: New feature in Office 2016 can block macros and help prevent infection, and the predominant…

Microsoft Security

January 23, 2017 admin

Double-click me not: Malicious proxy settings in OLE Embedded Script

Attackers have been using social engineering to avoid the increasing costs of exploitation due to the significant hardening and exploit mitigations investments in Windows. Tricking a user into running a malicious file or malware can be cheaper for an attacker than building an exploit which works on Windows 10. In our previous blog, Where’s the…

Microsoft Security

January 23, 2017 admin

Where’s the Macro? Malware authors are now using OLE embedding to deliver malicious files

Recently, we’ve seen reports of malicious files that misuse the legitimate Office object linking and embedding (OLE) capability to trick users into enabling and downloading malicious content. Previously, we’ve seen macros used in a similar matter, and this use of OLE might indicate a shift in behavior as administrators and enterprises are mitigating against this…

Microsoft Security

January 23, 2017 admin

Malicious macro using a sneaky new trick

We recently came across a file (ORDER-549-6303896-2172940.docm, SHA1: 952d788f0759835553708dbe323fd08b5a33ec66) containing a VBA project that scripts a malicious macro (SHA1: 73c4c3869304a10ec598a50791b7de1e7da58f36). We added it under the detection TrojanDownloader:O97M/Donoff – a large family of Office-targeting macro-based malware that has been active for several years (see our blog category on macro-based malware for more blogs). However, there wasn’t…

Microsoft Security

January 23, 2017 admin

Large Kovter digitally-signed malvertising campaign and MSRT cleanup release

Kovter is a malware family that is well known for being tricky to detect and remove because of its file-less design after infection. Users from United States are nearly exclusively being targeted, and infected PCs are used to perform click-fraud and install additional malware on your machine. Starting April 21, 2016, we observed a large…