XML Files Containing Tainted Macros Help Spread Malware

Trustwave the security company cautions that cyber-criminals are cashing in on infected marcros concealed within Extensible Markup Language (XML) files as they attempt at spreading malicious software.

During the 1st-week of March this year (2015), researchers at Trustwave intercepted one spam campaign involving bulk e-mails containing a "remittance advice" attachment which supposedly arrived from different businesses. In those e-mails, recipients were directed for viewing the attachment that was actually one Word file but labeled as XML.

To open and view the file, Microsoft Word was necessary and in case the macros on the device were turned on, a malevolent code written with VBA (Visual Basics for Application) became active.

When turned on, the disguised macros pulled down Trojan Dridex via one distant server. Dridex filches banking details soon as victim signs into one Internet-based bank account. The Trojan waits on the computer till a targeted bank or credit company website is logged into following which it inserts an HTML into the site which directs the victim to give additional information such as card verification value (CVV), expiry date of the card, and social security number (SSN).

Threat Intelligence Manager Karl Sigler at Trustwave says never before was XML documents detected utilized as bait. With regards to macros they have been automatically turned off from the time Office 2007 was implemented. Threatpost.com published this, March 6, 2015.

Sigler continues that occasionally local 'admins' within large organizations possess the capability for enabling macros. While a few companies use them often, the practice isn't common. Usually, the default settings for macros are left. The reason why the cyber-criminals in discussion have used XML is difficult to understand. Possibly they are hunting one fresh attack vector after not receiving adequate click-through successes using spreadsheet files. Possibly they weren't acquiring users who would enable macros in the manner they desired so they are hunting one method for improving their success numbers.

However, for remaining safe from the spam run, it's urged that end-users don't view unsolicited spam messages as well as avoid viewing undesirable and unanticipated file attachments since they maybe malware-tainted, similar as within the aforementioned instance.

» SPAMfighter News - 3/16/2015