Search This Blog

Showing posts with label Microsoft Office. Show all posts

43% of all Malware Installations are Concealed in Microsoft Office Documents


Companies have now employed hundreds of cloud applications to use due to the transition from work from the office to remote work, many of which may be vulnerable to cyberattacks or exploitation. This has increased the attack vector and exposed them to a slew of new threats. 

Although infiltrating office documents with malware has been around for a long period, it is indeed very effective in duping individuals. After embedding a hostile macro into an office document, malicious actors transmit the infected file to thousands of other people via email and wait for potential targets. A macro is a collection of commands that are packed together to perform a task automatically. 

Thus according to current Atlas VPN team research, malicious office documents account for 43 percent of all malware installations. Dangerous office files are common amongst cybercriminals because they can evade suspicion by most antivirus programs. 

The research is based on the Netskope Threat Lab Cloud and Threat Report: July 2021 Edition. It examined office documents from all platforms, including Microsoft Office 365, Google Docs, PDFs, and others. Only 14 percent of all downloaded malware were hostile office documents a year earlier, in the second quarter of 2020. Following that, in the third quarter of last year, the percentage rose to 38%. This growth was mostly affected by working remotely, as attackers discovered that malware-infected papers have proved to be beneficial. 

The effectiveness of EMOTET appears to have spread swiftly among cybercriminal gangs, motivating other hackers to adopt a similar approach. Another reason harmful documents succeed is that they can avoid detection by antivirus software and appear to be from a reliable source. 

Malware-infected document cyberattacks are designed to exploit the user's potential incapacity to perceive the danger. Only a blend of cybersecurity knowledge, training, and security software could provide the highest level of protection.

Fraudsters have taken advantage of Microsoft Office and Google Docs' popularity by introducing malicious code into the documents. To protect users from malware attacks, organizations must design and maintain a cybersecurity plan that addresses both the technological and human components. 

Hackers Have Devised a New Trick to Disable Macro Security Warnings


Threat actors have found a novel method for disabling macro security warnings in malspam assaults that use non-malicious documents. Microsoft Office macro malware that uses social engineering to infect computers has been a common feature of the threat landscape in recent years. Malware authors are constantly refining their strategies in order to avoid detection. Macro obfuscation, DDE, living off the land tools (LOLBAS), and even legacy-supported XLS formats are among the strategies used. 

Threat actors are now employing non-malicious documents to disable security warnings before executing macro code on the recipient's computer, according to McAfee Labs analysts. Without any malicious code present in the first spammed attachment macro, hackers download and run malicious DLLs (ZLoader). Zloader has been active since at least 2016, and it was used to propagate Zeus-like banking trojans (i.e. Zeus OpenSSL). It steals several functionalities from the renowned Zeus banking Trojan. 

The assault chain begins with a spam mail that uses a Microsoft Word document to download a password-protected Microsoft Excel file from a remote server once opened. Only when the victim has enabled the macros hidden in the Word document could the downloads begin. “After downloading the XLS file, the Word VBA reads the cell contents from XLS and creates a new macro for the same XLS file and writes the cell contents to XLS VBA macros as functions.” read the analysis published by McAfee. 

“Once the macros are written and ready, the Word document sets the policy in the registry to ‘Disable Excel Macro Warning’ and invokes the malicious macro function from the Excel file. The Excel file now downloads the ZLoader payload. The ZLoader payload is then executed using rundll32.exe.” 

Word VBA extracts the content of the cells from the XLS file and uses it to generate a new macro for the same XLS file, writing the cell contents to XLS VBA macros as functions. Once the macros are finished, the Word document disables the macro security warnings by setting the registry policy (HKEY CURRENT USERSoftwareMicrosoftOffice12.0ExcelSecurityAccessVBOM) to Disable Excel Macro Warning and runs the malicious Excel macro function. The Excel file then uses rundll32.exe to download and run the Zloader payload. 

“Malicious documents have been an entry point for most malware families and these attacks have been evolving their infection techniques and obfuscation, not just limiting to direct downloads of payload from VBA, but creating agents dynamically to download payloads,” the researchers conclude.

Cracked Version of few Software Steal Session Cookies and Monero Cryptocurrency


Bitdefender which is a Romania-based cybersecurity organization located in Bucharest has recently cautioned that cracked versions of Microsoft Office and Adobe Photoshop steal the browser session cookies along with Monero cryptocurrency and carry them back from tightwads installing pirated apps. 

While most readers would be familiar, that cracked software is a genuine application that has removed its registration or licensing features. In the days of yore, the cracked software (also known as warez) mainly exchanged through BitTorrent and mostly attracted the freeloaders who enjoyed using a specific suite without paying for the License. 

However, these cracks are priced differently: Bitdefender observed that some versions of both suites have been circulated with malware that captures browser session cookies (or in Firefox, the complete user profile history). It hijacked Monero cryptocurrency deposits and exfiltrated certain information using BitTorrent, after opening the backdoor in the first instance and disabling the machine's firewall. 

"Once executed, the crack drops an instance of ncat.exe (a legitimate tool to send raw data over the network) as well as a Tor proxy," said Bitdefender's Bogdan Botezatu, director of threat research and reporting, and Eduard Budaca the security researcher. They further added that "The tools work together to create a powerful backdoor that communicates through TOR with its command-and-control center: the ncat binary uses the listening port of the TOR proxy ('--proxy') and uses the standard '--exec' parameter, which allows all input from the client to be sent to the application and responses to be sent back to the client over the socket (reverse shell behavior)." 

Reportedly, operators take a while to analyze and determine that whether they should rob what they have compromised or not – depending upon the estimated value they could gain out of it. 

In the days when business models became feasible as a service in the cloud, vendors were fully dependent on physical media for delivering to end-users that included the whole program; Immediate and common targets for crackers were copying protections which resulted in unlawful copies of otherwise fully functioning software being sold at a much lower cost. 

“Pirated software is never the way to go, however tempting it may be, as the risks tend to always outweigh the benefits,” sources further noted. 

Microsoft Office 365 Exposing User’s IP Address in Emails

Microsoft Office 365's webmail interface has been accused for exposing the user's IP address injected into the message as an extra mail header.

This news comes as a rather major warning to those who resorted to Office 365 webmail interface to hide their IP address, because in reality they are not concealing anything.

The service injects an extra mail header into the email called x-originating-IP that contains the IP address of the connecting client, which for this situation is the user's local IP address and this all happens when an email is sent via Office 365 (

BleepingComputer even came around to test the webmail interfaces for Gmail, Yippee, AOL, (, and Office 365.

As for Microsoft, it has removed the x-originating-IP header field in 2013 from Hotmail to offer their users much better security and privacy.

"Please be informed that Microsoft has opted to mask the X-Originating IP address. This is a planned change on the part of Microsoft in order to secure the well-being and safety of our customers."

However for Office 365, who 'caters to the enterprise', this header was deliberately left in so that admins could scan for email that has been sent to their respective organization from a specific IP address. This was particularly helpful for finding the location of a sender in the event of an account getting hacked.

And for Office 365 admins who don't wish to keep utilizing this header, they are allowed to make another new rule in the Exchange admin center that easily removes the header.

In any case, for security and auditing purposes, it is most likely a more shrewd decision to keep it enabled.

Multi-factor authentication bypassed to hack Office 365 & G Suite Cloud accounts

Massive IMAP-based password-spraying attacks successfully breached Microsoft Office 365 and G Suite accounts, circumventing multi-factor authentication (MFA) according to an analysis by Proofpoint.

As noted by Proofpoint's Information Protection Research Team in a recent report, during a "recent six-month study of major cloud service tenants, Proofpoint researchers observed attackers are targeting legacy protocols with stolen credential dumps to increase the speed and efficiency of the brute force attacks.

Based on Proofpoint study, IMAP is the most abused protocol, IMAP is the protocol that bypasses MFA and lock-out options for failed logins.

This technique takes advantage of the fact that the legacy authentication IMAP protocol bypasses MFA, allowing malicious actors to perform credential stuffing attacks against assets that would have been otherwise protected.

These intelligent new brute force attacks bring a new approach to the traditional normal brute force attack that uses the combination of usernames and passwords.

Based on the Proofpoint analysis of over one hundred thousand unauthorized logins across millions of monitored cloud user-accounts and found that:

▬ 72% of tenants were targeted at least once by threat actors
▬ 40% of tenants had at least one compromised account in their environment
▬ Over 2% of active user-accounts were targeted by malicious actors
▬ 15 out of every 10,000 active user-accounts were successfully breached by attackers

Their analysis unearthed the fact that around 60% of all Microsoft Office 365 and G Suite tenants have been targeted using IMAP-based password-spraying attacks and, as a direct result, approximately 25% of G Suite and Office 365 tenants that were attacked also experienced a successful breach.

On the whole, after crunching down the numbers, Proofpoint reached the conclusion that threat actors managed to reach a surprising 44% success rate when it came to breaching accounts at targeted organizations.

The ultimate aim of the attackers is to launch internal phishing and to have a strong foothold within the organization. Internal phishing attempts are hard to detect when compared to the external ones.

Adobe Patched Zero-Day Vulnerability

Adobe has recently issued a security update for Flash Player in order to fix a zero-day vulnerability that was exploited by attackers in the wild.

The Flash Player vulnerability (CVE-2018-5002), a stack-based buffer over-flow bug that could empower discretionary code execution, was taken care of on the seventh of June.

The weakness was found and independently made public to a few security firms significantly including the ICEBRG, Tencent, and two security divisions from Chinese digital security mammoth Qihoo 360. Tracked as CVE-2018-5002, it effectively impacts Adobe Flash Player and its earlier versions although it was reported to be settled with the timely release of Flash Player

 “It allows for a maliciously crafted Flash object to execute code on victim computers, which enables an attacker to execute a range of payloads and actions,” said the researchers from ICEBRG's Security Research Team, who were the first to report the discovered vulnerability.

The exploit utilizes a cautiously developed Microsoft Office report to download and execute an Adobe Flash exploit to the victims' PC, as per ICEBRG analysts. The documents were sent basically through email, as per Adobe.

Both ICEBRG and Qihoo 360 discovered evidence that proposed that the exploit was focusing on Qatari victims, in light of the geopolitical interests.

“The weaponized document … is an Arabic language themed document that purports to inform the target of employee salary adjustments,” ICEBRG researchers said. “Most of the job titles included in the document is diplomatic in nature, specifically referring to salaries with positions referencing secretaries, ambassadors, diplomats, etc.”

As indicated by Will Dormann of CERT/CC, other than fixing the actual imperfection, Adobe likewise included an extra dialog window that inquires the users as to whether they want to stack remote SWF records inside Office documents or not. The incite relief additionally comes to settle an issue with Office applications, where Flash content is in some cases downloaded consequently, without provoking the user ahead of time.