Hackers use macro-based attack to deploy malware, hijack desktop shortcuts and inject backdoor

Security researchers have discovered a new malware strain, which they suspect is still under development, leveraging malicious macros to deliver a backdoor.

Cybercriminals have been leveraging malicious macros in their attacks for decades. Over the years, the way hackers make use of these malicious macros has evolved.

In a recently discovered campaign, hackers made use of a malicious macro designed to identify specific shortcut files on the victim’s system and replace them with poisoned ones that lead the victim to download a malware. When a user clicks on the modified shortcuts, the malware is executed.

Modus operandi

Once the malware is executed, it recovers the original shortcut files to open up the correct applications. However, instead of downloading customized tools, the malware downloads commonly available tools such as various Windows tools, the remote admin tool Ammy Admin and more.

“While the macro and the downloaded malware are not sophisticated, this method is still interesting mostly because it has signs of continuing what seems to be unfinished development,” Trend Micro researchers, who discovered the new campaign, wrote in a blog.

Researchers also discovered that the infection chain for the attack began with a malicious macro-embedded document written in Russian. Once the victim enables macros, the malware attempts to search for specific shortcuts, including that of Skype, Chrome, Google, Opera, Mozilla Firefox and Internet Explorer.

“Once it finds a match, it downloads the malware according to its name and environment from Google Drive and GitHub. Upon checking, the malware files seem to have been removed or are no longer present online,” Trend Micro researchers said.

Evading detection

The malware has been designed to run a malicious service that helps cover the malware’s tracks. This service downloads the final payloads, including the Ammy Admin tool, which in turn modifies the permission settings of the remote admin tool.

The modified settings allow the malware operators to access the infected system. The malicious server then runs a shell script which stops all Ammyy processes that were running prior to the infection.

“It is difficult to determine what this part of the attack chain is for, as this step was not seen in the analysis of an earlier version of this malware, and is counterproductive to the entire attack,” Trend Micro researchers noted. “This malware, from the use of its macro to its installation, exhibits very unusual behavior and is likely still under development.

“We believe that the malware is not widely spread and have had only a few victims so far. However, it is important to be aware of this malware and method of attack, as newer and improved versions may be in the works.”