Earlier that will month a cybersecurity researcher shared details of a security loophole with The Hacker News that will affects all versions of Microsoft Office, allowing malicious actors to create in addition to spread macro-based self-replicating malware.
Macro-based self-replicating malware, which basically allows a macro to write more macros, can be not fresh among hackers, however to prevent such threats, Microsoft has already introduced a security mechanism in MS Office that will by default limits that will functionality.
Lino Antonio Buono, an Italian security researcher who works at InTheCyber, reported a simple technique (detailed below) that will could allow anyone to bypass the security control put in place by Microsoft in addition to create self-replicating malware hidden behind innocent-looking MS Word documents.
What’s Worse? Microsoft refused to consider that will issue a security loophole when contacted by the researcher in October that will year, saying the item’s a feature intended to work that will way only—just like MS Office DDE feature, which can be at that will point actively being used by hackers.
fresh ‘qkG Ransomware’ Found Using Same Self-Spreading Technique
Interestingly, one such malware can be on its way to affect you. I know, that will was fast—even before its public disclosure.
Just yesterday, Trend Micro published a report on a fresh piece of macro-based self-replicating ransomware, dubbed “qkG,” which exploits exactly the same MS office feature that will Buono described to our team.
Trend Micro researchers spotted qkG ransomware samples on VirusTotal uploaded by someone through Vietnam, in addition to they said that will ransomware looks “more of an experimental project or a proof of concept (PoC) rather than a malware actively used from the wild.”
The qkG ransomware employs Auto Close VBA macro—a technique that will allows executing malicious macro when victim closes the document.
The latest sample of qkG ransomware at that will point includes a Bitcoin address using a smaller ransom note demanding $300 in BTC as shown.
the item should be noted that will the above-mentioned Bitcoin address hasn’t received any payment yet, which apparently means that will that will ransomware has not yet been used to target people.
Moreover, that will ransomware can be currently using the same hard-coded password: “I’m QkG@PTM17! by TNA@MHT-TT2” that will unlocks affected files.
Here’s How that will fresh Attack Technique Works
In order to make us understand the complete attack technique, Buono shared a video with The Hacker News that will demonstrates how an MS Word document equipped with malicious VBA code could be used to deliver a self-replicating multi-stage malware.
If you are unaware, Microsoft has disabled external (or untrusted) macros by default in addition to to restrict default programmatic access to Office VBA project object style, the item also offers users to manually enable “Trust access to the VBA project object style,” whenever required.
With “Trust access to the VBA project object style” setting enabled, MS Office trusts all macros in addition to automatically runs any code without showing security warning or requiring user’s permission.
Buono found that will that will setting can be enabled/disabled just by editing a Windows registry, eventually enabling the macros to write more macros without user’s consent in addition to knowledge.
As shown from the video, a malicious MS Doc file created by Buono does the same—the item first edits the Windows registry in addition to then injects same macro payload (VBA code) into every doc file that will the victim creates, edits or just opens on his/her system.
Victims Will be Unknowingly Responsible for Spreading Malware Further
In some other words, if the victim mistakenly allows the malicious doc file to run macros once, his/her system would certainly remain open to macro-based attacks.
Moreover, the victim will also be unknowingly responsible for spreading the same malicious code to some other users by sharing any infected office files through his/her system.
that will attack technique could be more worrisome when you receive a malicious doc file through a trusted contact who have already been infected with such malware, eventually turning you into its next attack vector for others.
Although that will technique can be not being exploited from the wild, the researcher believes the item could be exploited to spread dangerous self-replicating malware that will could be difficult to deal with in addition to put an end.
Since that will can be a legitimate feature, most antivirus solutions do not flag any warning or block MS Office documents with VBA code, neither the tech company has any plans of issuing a patch that will would certainly restrict that will functionality.
Buono suggests “In order to (partially) mitigate the vulnerability the item can be possible to move the AccessVBOM registry key through the HKCU hive to the HKLM, creating the item editable only by the system administrator.”
The best way to protect yourself through such malware can be always to be suspicious of any uninvited documents sent via an email in addition to never click on links inside those documents unless adequately verifying the source.