To survive, Macro downloaders have to constantly develop new techniques for evading sandbox environments and anti-virus applications. Recently, Fortinet spotted a malicious document macro designed to bypass Microsoft Windows’ UAC security and execute Fareit, an information stealing malware, with high system privilege. SPAM This malicious document is distributed by a SPAM email.  As part of its social engineering strategy, it is presented in the context of someone being interested in a product. Fig.1 SPAM with the malicious... [Read More]
by RSS Joie Salvio and Rommel Joven  |  Dec 16, 2016  |  Filed in: Security Research
Modern malware use every possible vector of attack to infect a system. Emails, which are available to almost everyone, are common carriers. In this type of attack, attackers try to lure users to open malicious attachments that look like documents, but have multiple file extensions, such as “financial.doc.exe”. Most of the time, the user only sees the “financial.doc” filename without the ".exe" extension, which makes it easy to assume that it is a Microsoft Word document. Once the file is clicked and executed, the... [Read More]
by RSS Raul Alvarez  |  Apr 29, 2015  |  Filed in: Security Research
In early November, we experienced an influx of Microsoft Word documents that contained malicious macros. Just when the computer security industry was on the verge of forgetting these oldies, they rose to life once again, proving that they’re not allowing themselves to be eliminated that easily. In June, Ruhai Zhang warned of macro threats that continue to spread, particularly those that use Microsoft Excel. In this blog post, I will go over a family of Microsoft Word macros, detected as WM/Agent!tr, that I have encountered in the past couple... [Read More]
by RSS Sousan Yazdi  |  Jan 06, 2015  |  Filed in: Security Research
Whenever we refer to macro threats, we are reminded of those malicious macros in the old days which infect Microsoft Office documents. Contrary to popular belief, macro threats haven't completely disappeared. Even with many new security features added to Microsoft Office and even with the improvement of people's security consciousness, macro threats still continue to persist. These new macro threats, however, have changed their role from being infectors into droppers that could decrypt/decode/drop/execute the payload. In this way, the payload... [Read More]
by RSS Ruhai Zhang  |  Jun 17, 2014  |  Filed in: Security Research