CISCO HAS DISCOVERED spearphishing malware in Microsoft Word that uses an exploit targeting the software's Visual Basic Scripting for Applications feature.
Cisco's investigation into the malware identified a group of attacks by the same threat actor, with Cisco exposing the threat actor's network after it had discovered a Microsoft Word document that downloaded and executed a secondary sample, which began beaconing to a command and control server.
"While basic, the Office Macro attack vector is obviously still working quite effectively," Cisco technical lead Craig Williams said in a blog post. "When the victim opens the Word document, an On-Open macro fires, which results in downloading an executable and launching it on the victim's machine."
Williams said that this threat actor seemed to target high-profile, rich industries such as banking, oil, television and jewellery companies and victims of the attacks were duped into opening an email attachment in the form of an invoice, written specifically for the recipient.
"The message [was] a fairly simple phish email which includes a fake name and an attached Microsoft Word document. However, this was simply the outer layer of the onion so it's best, we think, to start from the beginning," Williams said.
"This particular phishing attempt was noticed in Cisco's email corpus due to the email attachment's poor block rates at most antivirus engines."
"For the duration of this campaign there is one thing that remained consistent: at best, a few antivirus engines may have generically detected the attached malware but more often than not coverage was provided by a single vendor, or no coverage was provided at all." µ