What is the Issue:
Security researchers have discovered a new attack technique utilizing Microsoft Word, macros and your desktop shortcuts. Utilizing a malicious macro embedded within a Word document, desktop shortcuts are modified to download malware when you click on a desktop shortcut. When this occurs, a rogue Windows service is created in the background which enables the installation of secondary programs which can escalate the attacker’s privileges on a target machine and grant them access to important data.
Why is this noteworthy:
The malicious macro is capable of scanning a machine for popular applications to mirror (Chrome, FireFox, Skype, Internet Explorer, etc.). Normal application executables are replaced with special links, directed to download malware. Once the malware is successfully downloaded, the modified shortcuts are restored to their original function in order to avoid suspicion from users. Not only does this macro have the potential to flood a system with malware, sensitive data contained within the target can also be stolen. By default, macros are disabled on Windows devices so in order for the macro to infect a target, the user must physically enable macros on their device. With minimal direct involvement from the attacker, he/she can quickly gain admin access onto a machine.
What is the exposure or risk:
The hijack has yet to receive an official severity ranking. Being in its infancy stage, it is not widespread. Hijacked machines can become affected by malware and system data can become compromised. The data is compiled and sent back to the attacker in dump files.
What are the recommendations:
SKOUT recommends caution when opening Word documents sent via email and when encountering prompts to enable Macros on a Windows device. We recommend you be on the lookout for emails featuring attached Word documents containing Russian text centered above the image of a house. It is also recommended to ignore any requests to enable Macros for documents from unknown sources. Be aware of this attack method, as newer and improved versions are likely to appear in the near-future.
If you have any questions, please contact our Security Operations Center.