Join thousands of people who receive the latest breaking cybersecurity news every day.
The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.
The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.
Share this article:
Malicious email attachments with macros are one of the most common ways hackers get in through the door. Huntress security researcher John Hammond discusses how threat hunters can fight back.
Any cybersecurity attack — whether it be a breach, an incident or any form of compromise — starts with hackers getting in through the door. Threat actors and adversaries rely on gaining code execution on a target system which they can then leverage to do more damage—a phase commonly referred to as initial access.
More often than not, the easiest way for an attacker to gain initial access is by exploiting the human vulnerability. This involves tricking an end user into taking some action that ultimately gives the threat actor more power than they had before. They lay a trap and propose a cleverly disguised lie to as many potential victims as possible. Even though a threat actor may attempt to fool a thousand users at one time, they only need one to fall for the charade.
Infosec Insiders Newsletter
Threat actors design and deliver this scheme typically through email—the easiest way to put digital content in front of any individual. In today’s world, this is common language: “Be careful not to fall for phishing emails.” 
For decades, the security industry has attempted to train users to stay vigilant against phishing emails with the boilerplate basics you have heard time and time again: “Look for bad grammar or spelling mistakes,” “double-check the sending address,” “hover over the link,” etc. While these saturated lessons might help ward off the low-hanging fruit, well-crafted phishing emails from sophisticated actors may be genuinely hard to spot.
Phishing emails or any sort of digital deception carry similar traits, but might have different desired outcomes. The most successful phishing campaigns do three things: 
Pretense typically tugs at a person’s heartstrings or capitalizes on real-world threats or current events, such as the COVID-19 pandemic, taxes or elections, cryptocurrencies, or even blackmail and extortion (“I have your password/I have you on webcam” threats).
The overall goal of a phish, however, varies.
The adversary may set up a “lookalike” website, masquerading as a page that the user expected and intended to go to, but which instead delivers username and password combos to the threat actor when victims attempt to log in.
Source: Huntress.
The adversary also may implant code on a staged website or HTML file, forcing the user’s browser to download a file or leave behind cookies that can be used for later actions performed by the threat actor:
Source: Huntress.
The adversary most often however attaches a specific file to an email, suggesting that the user download it and open it on their own volition. This file often masquerades as a legitimate document, but will instead execute code upon being opened.
Source: Huntress.
Let’s turn our focus to this file-attachment attack vector—specifically, malicious Microsoft Office documents, which can run code with a macro.
One extremely common file attachment type included in phishing emails are Microsoft Office documents (like Word, PowerPoint or Excel)—masquerading as innocent files that any user or employee might open on a daily basis. 
Consider an HR representative or a hiring manager at any company. Their legitimate job function is to receive and handle applications from interested applicants, oftentimes opening incoming emails and downloading their attachments, perhaps to view an incoming prospect’s resume. 
Malicious Office documents, or maldocs, can execute code via macros if they are given explicit user permission. Once opened, the adversary must continue the charade and trick the user to click “Enable Editing” or “Enable Content” for a macro to run.
Source: Huntress.

Macro code will execute upon clicking the “Enable Content” via a specific function handler:
Sub Document_Open()
End Sub
Sub AutoOpen()
End Sub
Sub SubstitutePage()
ActiveDocument.AttachedTemplate.AutoTextEntries(“Candidate”).Insert Where:=Selection.Range, RichText=True
End Sub
The AutoOpen() or Document_Open() subroutines define the code that will run immediately once the Office document is opened or the user enables content. In the snippet of code above, the process to emulate “decrypting” the content is shown—simply switching out the original document with content that is saved in an attached template, taking advantage of another feature of Microsoft Word to hide things from the user.
There are several tools available to help threat hunters inside companies identify macros and catch them before they detonate. Here are two.
This tool tends to be run on Linux as it is a Python tool. It does a nice job of finding key indicators that might set off an alarm for a threat hunter. It generates an output that gives threat researchers a chunk of macro code to see if any of that code warrants additional attention.
Source: Huntress.
This tool takes a different approach than Olevba. Whereas Olevba decodes back-end VBAproject.bin files in .ZIP files and generates the source code, ViperMonkey emulates VisualBasic (VB) scripts to a certain extent. It can run VB shellcode and see what it does—all without posing any real harm to users. It can even bypass evasive techniques threat actors take when it comes to malicious Office documents, such as splitting up the code throughout the document to make it harder to identify. ViperMonkey can find those pieces of code and piece them together to be analyzed.
Source: Huntress.
Hiding malware within Office documents is not a new trick—it’s just a very successful one. Despite knowing the scams and noticing the red flags, we’re seeing a trend of more targeted and methodical phishing campaigns. And this might leave many defenders feeling like they’re playing a game of whack-a-mole and reacting to the new tricks and tactics that attackers are using. But as attackers have gotten better at social engineering and finding ways to dupe users and their technology, we like to think that us defenders are certainly rising to the challenge and better prepared for battle.
John Hammond is a senior security researcher at Huntress.
Enjoy additional insights from Threatpost’s Infosec Insiders community by visiting our microsite
Share this article:
Scammers are using fake job listings to empty the wallets of young, hopeful victims looking to break into the gaming industry.
The Log4Shell vulnerability critically threatens anybody using the popular open-source Apache Struts framework and could lead to a “Mini internet meltdown soonish.”
Cyberattackers are targeting security vulnerabilities in four plugins plus Epsilon themes, to assign themselves administrative accounts.

This site uses Akismet to reduce spam. Learn how your comment data is processed.
Join thousands of people who receive the latest breaking cybersecurity news every day.
There’s a sea of unstructured data on the internet relating to the latest #cybersecurity threats. Join Threatpost’s…
3 days ago
Get the latest breaking news delivered daily to your inbox.
The First Stop For Security News
Infosec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.
Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.