14 DAY TRIAL // A very well conceived spear-phishing campaign using Office Macro attack vector has been discovered to target victims in banking, oil, television, and jewelry industries.
Researchers at Cisco have analyzed how the new threat operates and have noted that the cybercriminals take advantage of the Visual Basic Scripting for Applications feature in Microsoft Word to deliver the malware to the victim’s computer.
“When the victim opens the Word document, an On-Open macro fires, which results in downloading an executable and launching it on the victim’s machine,” the Cisco blog post says.
Using macros in malicious campaigns is an old approach, but in this case, the threat actors have combined the cloud storage services from Dropbox to host the payloads.
Luring the victim to open the document is done through an email that purports to be an invoice, purchase order or receipt created specifically for the target.
Should the victim launch the attached Word file, the malicious executable is retrieved from Dropbox by the macro and once on the computer, it contacts several domains.
The cloud storage account hosts a total number of four pieces of payload for the exploit; Dropbox has been notified by the Cisco researchers and the share links have been disabled.
Upon investigating the domains contacted by the malicious file, which are believed to be command and control servers, the security researchers found clues in the whois records that allowed them to link the group behind this operation to a number of other domains and email addresses.
Furthermore, the information helped trace other malicious campaigns, relying on other pieces of malware, that could be associated with this particular threat actor.
Cisco researchers said that the amount of information uncovered by digging into the whois records and examining matching details with other domains and campaigns is quite vast and it also led to associating some of the contact addresses to domains using privacy protection services.
Evasion attempts were also recorded, as whois records would change between browser refreshes. “If you monitor whois history you can still view all of this information, including the evasion attempt. While we were performing the investigation, items like addresses, email addresses, and such were changed, literally, in between browser refreshes.”
The starting point for the researchers was the “londonpaerl.co.uk” domain, a typo-squat of the “londonpearl.co.uk,” which is a reputable supplier of cultured pearls and jewelry. From the analysis of the domain's whois records and passive DNS information, it appears that these cybercriminals have been in the business since at least 2007.