Photo Credit: Twitter/ Microsoft Security Intelligence
Microsoft is drawing attention to a new malware attack that infects Windows systems using its own Office software’s macro functions. A new malware campaign is doing the rounds and it essentially employs a complex infection chain to download and run the notorious FlawedAmmyy RAT malware directly in memory. The attack starts with an email and .xls attachment with content in the Korean language, indicating that it is primarily targeting Korean users. It uses malicious macro functions in an Excel attachment to attack Windows PCs.
According to security firm Proofpoint, the malicious campaign has been started by a group called TA505. They have been responsible for similar attacks in the past, the security firm says, and this particular latest trick involves a malicious email and an Excel attachment that Microsoft warns users from opening.
“When opened, the .xls file automatically runs a macro function that runs msiexec.exe, which in turn downloads an MSI archive. The MSI archive contains a digitally signed executable that is extracted and run[s], and that decrypts and runs another executable in memory,” Microsoft notes in its series of tweets.
A file called wsus.exe is then downloaded and decrypted, and it is intelligently designed to pass off as the official Microsoft Windows Service Update Service (WSUS). It is digitally signed on June 19, and decrypts the payload in RAM, delivering the FlawedAmmyy payload.
Microsoft says that its Threat Protection defends customers from this attack. “Cloud-based machine learning protections in Microsoft Defender ATP blocked all of the components of this attack at first sight, including the FlawedAmmyy RAT payload. Office 365 ATP detects the email campaign,” the company notes.