Not your favorite Java
Figure 2: Sample code and URL
Figure 3: Another code sample
Figure 4: Another code sample
Figure 5: Another code sample
These URLs are mostly short-lived. But when successfully downloaded, the malware, in this case Ransom:Win32/Locky, enters the system and proceeds in its destructive mission.
It is interesting to note that an Office attachment with malicious macros typically requires two or more clicks on the document to run it. One click to open the document, and another click to enable the macros.
Same stuff, new package
It has been a common vector for malware to spread through email attachment. In the past months, we have seen Office file attachments that contains malicious macro. The code is simple and straightforward, it’s main objective is to download and execute other malware, such as password stealers, backdoors and ransomwares.
These malicious email attachments are distributed through spam campaigns. Spam campaigns range from different social engineering areas that appeal to people’s curiosity – enough for them to take action and click what shouldn’t be clicked: from finance-related subjects like receipts, invoice and bank accounts, to resumes and shipment notifications.
Figure 9: A screenshot of a sample bank-related email spam.
Figure 10: A screenshot of a sample remittance-themed email spam.
Figure 11: A screenshot of a sample invoice-themed email spam.
Figure 12: A screenshot of a sample resume-themed email spam.
Figure 13: A screenshot of a shipment notification-themed email spam.
Figure 14: A screenshot of a sample debt case-themed email spam.
Mitigation and prevention
- Use Windows Defender for Windows 10 as your antimalware scanner.
- Ensure that Microsoft Active Protection Service has been enabled.
- Use Office 365 Advanced Threat Protection. It has a machine learning capability to help your network administrators block dangerous email threats.
- Use the AppLocker group policy to prevent dubious software from running.
- Though ransomware and macro-based malware are on the rise, there’s still something that you can proactively do: