by Loseway Lu Despite being around for decades, cybercriminals are still using malicious macro to deliver malware, albeit in more creative ways to make them more effective. The threat actors behind a recent case used macro in a more roundabout way, with a macro that searches for specific shortcut files in the user’s system, which…Read More
The waves of backdoor-laden spam emails we observed during June and July that targeted Russian-speaking businesses were part of bigger campaigns. The culprit appears to be the Cobalt group, based on the techniques used. In their recent campaigns, Cobalt used two different infection chains, with social engineering hooks that were designed to invoke a sense of urgency in its recipients—the bank’s employees.
Of note were Cobalt’s other targets. The hacking group’s first spam run also targeted a Slovenian bank, while the second run targeted financial organizations in Azerbaijan, Belarus, and Spain.Read More
by John Anthony Bañes Malicious macros are commonly used to deliver malware payloads to victims, usually by coercing victims into enabling the macro sent via spam email. The macro then executes a PowerShell script to download ransomware or some other malware. Just this September EMOTET, an older banking malware, leveraged this method in a campaign that…Read More
We found another unique method being used to deliver malware—abusing the action that happens when simply hovering the mouse’s pointer over a hyperlinked picture or text in a PowerPoint slideshow. This technique is employed by a Trojan downloader (detected by Trend Micro as TROJ_POWHOV.A and P2KM_POWHOV.A), which we’ve uncovered in a recent spam email campaign in the EMEA region, especially organizations in the U.K., Poland, Netherlands, and Sweden. Affected industries include manufacturing, device fabrication, education, logistics, and pyrotechnics.Read More
The resurgence and continued prevalence of macro malware could be linked to several factors, one of which is their ability to bypass traditional antimalware solutions and sandboxing technologies. Another factor is the continuous enhancements in their routines: just recently, we observe that the macro malware related to DRIDEX and the latest crypto-ransomware variant, Locky Ransomware used Form object in macros to obfuscate the malicious code. With this improvement, it could further aid cybercriminals or attackers to hide any malicious activity they perform in their target network or system.Read More