ZLoader Devises New Attack Method to Disable Macro Security Warnings

What has been observed?

• The infection map indicates that North America is the most impacted.
• The attack begins with a phishing email that carries a non-malicious Microsoft Word document as an attachment. Unsuspecting users enable macros for this file when they try to open it, which triggers the download of an Excel file.
• The Word document VBA reads the content of this Excel file and proceeds to write them to XLS VBA as macros.
• After writing the macros for the Excel file, the Word document updates Excel’s security policies to disable the Excel Macro warning, and then dynamically calls the malicious macro function.
• The execution of this malicious Excel macro ultimately downloads the Zloader payload, which is then executed by rundll32.exe.

Recent attacks by ZLoader

• A few months ago attackers were seen abusing Excel 4.0 Macros, a legacy scripting language that was deprecated long ago. However, recent versions of Microsoft Office continue to support this scripting language to maintain backward compatibility.
• In March, researchers observed instances of invoice flavored campaigns which implemented an advanced infection chain. The attacks relied on special data exchange tactics between various Microsoft Office document formats, creating a complex chain of events.

Concluding note