Microsoft: We're fighting Windows malware spread via Excel in email with bad macro

Don't enable macros, Microsoft warns, because a new malware campaign is aiming at fully patched Windows PCs.

A single actor is scanning Windows systems vulnerable to the BlueKeep flaw A threat actor hidden behind Tor nodes is scanning for Windows systems vulnerable to BlueKeep flaw. Read more: https://zd.net/2JWjK73

Microsoft is drawing attention to a cybercrime campaign that relies on Office features to compromise Windows systems. 

Office applications remain a favorite tool for cyber criminals to exploit to compromise Windows PCs en masse.

Earlier this month Microsoft warned that attackers were firing spam that exploited an Office flaw to install a trojan. The bug meant the attackers didn't require Windows users to enable macros. 

SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)

However, a new malware campaign that doesn't exploit a specific vulnerability in Microsoft software takes the opposite approach, using malicious macro functions in an Excel attachment to compromise fully patched Windows PCs.      

According to Microsoft's Security Intelligence team, the campaign "employs a complex infection chain to download and run the notorious FlawedAmmyy [remote-access trojan] RAT directly in memory."

FlawedAmmyy is known to have been used to target businesses in finance and retail, according to security firm Proofpoint, which calls the group behind it TA505. The group frequently uses Microsoft attachments and social engineering to compromise victims' systems. 

The attack starts with an email and .xls or Excel attachment, which Microsoft is warning recipients not to open.

"When opened, the .xls file automatically runs a macro function that runs msiexec.exe, which in turn downloads an MSI archive. The MSI archive contains a digitally signed executable that is extracted and run, and that decrypts and runs another executable in memory," Microsoft notes in a thread about the threat. 

The technique of running in memory does help malware avoid detection from antivirus that scans files only on disk. 

The malicious executable then downloads and decrypts a file called wsus.exe that's designed to be passed off as the official Microsoft Windows Service Update Service (WSUS). The executable file was digitally signed on June 19 and decrypts the payload in RAM, delivering the FlawedAmmyy payload. 

This particular attack appears aimed at Korean-speaking Windows users due to the attachment including Korean-language characters. 

Microsoft has been investing in its Windows Defender infrastructure to improve its own built-in antivirus compared with the ecosystem of vendors built around protecting Windows systems from malware. 

The Windows-maker argues that, "Microsoft Threat Protection defends customers from this attack." 

Additionally, Defender ATP's machine-learning systems "blocked all the components of this attack at first sight, including the FlawedAmmyy RAT payload", while enterprise users of Office 365 ATP can rest assured that Microsoft's Office 365 security tools do detect the spam. 

As noted by BleepingComputer, TrendMicro last week detailed TA505 activities targeting Windows users in Chile, Mexico, China, South Korea, and Taiwan. The attacks primarily took place using malicious macros for Microsoft Office applications and resulted in victims running the FlawedAmmyy malware.

More on Microsoft and Windows security