• Stop Threats

    End-to-End Email Security

    Defend your organization with a complete email security solution designed to identify, protect, detect & respond to threats.

    Security Awareness Training

    Condition your workforce against today’s latest threats and transform them into your front line of defense.

    Global Intelligence Network

    Protect your organization with our deep analysis into the current threat landscape and emerging trends.

    Cofense vs. The Competition

    See why the Cofense Intelligent Email Security suite stands out against the competition 

    Business Email Compromise (BEC)

    BEC amounts to an estimated $500 billion-plus annually that’s lost to fraud. Ensure your business is protected.

    Ransomware & Malware

    Phishing is the #1 attack vector for ransomware attacks. Stop phishing attacks in their tracks.

    Credential Theft

    Protect your user’s credentials and avoid a widespread, malicious attack.

  • Solutions

    Email Security for the Enterprise

    Complete threat protection, detection and response tailored for enterprise businesses.

    Email Security for the Mid Market

    Security awareness training + email security protection purpose-built for your mid-market organizations.

    Email Security for Managed Service Providers (MSPs)

    Best-in-Class Phishing Protection and Simulations designed for MSPs, from the ground up.

    Managed Email Security Solutions

    Protect your organization from attacks with managed services from the Cofense Phishing Defense Center™.

    Detect and Stop Attacks

    Automatically identify and quarantine email threats across your organization in minutes.

    Analyze & Remediate Reported Threats

    Accelerate threat detection and response, empowering fast resolution.

    Actionable Insight into Emerging Threats

    Protect your organization with our deep analysis into the current threat landscape and emerging trends.

    Security Awareness Training

    Condition your workforce against today’s latest threats and transform them into your front line of defense.

    Security Awareness Training + Threat Protection

    Growing companies can get protection, realistic simulations and security awareness training all in one platform.

    Easily Report Suspected Threats

    Report suspicious threats with just one click.

    Empower Your Team

    Train employees through an with award-winning Learning Management System.

  • Clients

    Industries We Serve

    Businesses from all industries rely on Cofense to safeguard their teams.

    What Our Customers Say

    Global organizations trust Cofense to protect their most critical assets.

  • Resources

    Knowledge Center Hub

    Check out our resource library of solution content, whitepapers, videos and more.

    Events & Webinars

    Come see us at a local event or join us at an upcoming webinar.

    Blog

    Stay current on cybersecurity trends, market insights and Cofense news.

    Check Your SEG

    See the real threats that are currently evading your Secure Email Gateway (SEG).

  • About

    About Cofense

    Cofense stops email security threats and protects your company through our network of 35+ Million human reporters.

    News Center

    See the latest articles, press releases and more in our news center.

    Awards

    It’s an honor to be recognized in the cybersecurity market. Check out our recent awards.

    Partners

    Grow your business, drive new revenue streams, and improve your competitive posture through our Partner Program.

    Careers

    We’re looking for passionate people to join us in our mission to stop all email security threats for organizations around the globe.

    Management Team

    Get to know our management team.

Get a Demo

MS Word and Macros… Now With Social Engineering Malware

Share Now

Facebook
Twitter
LinkedIn

On December 11, one of our employees reported a phishing  email with PhishMe’s Reporter for Outlook that contained a particularly nasty Word document. The malicious payload included PowerShell, VBA, and batch code. Here’s a screenshot of the phishing email:

Figure 1 -- Phishing Email
Figure 1 — Screenshot of phishing email

Once opened, the document’s contents are blurred, and it asks recipients to enable macros in order to view the document.

Figure 2 -- Social Engineering
Figure 2 — Document requesting that user enable macros

Once enabled, the macro kicks off by executing a batch script via cmd.exe, which then executes visual basic script, which in turn triggers a PowerShell script. (Figure 3.)

Figure 3 -- Chain of execution
Figure 3 — Chain of execution for Word document

The batch file is responsible for pinging 1.1.2.2 twice, changing the console code to the Cyrillic script (chcp 1251), and running the second file, adobeacd-update.vbs. (Figure 4.)

Figure 4 -- Batch file
Figure 4 — Batch file exectued by macro

Next, the VBS file runs a powershell script with the command seen in Figure 5.

Figure 5 -- VBS file
Figure 5 — VBS file executing PowerShell script

The powershell code is where the malware is finally downloaded. First, the file downloads “x.exe” from the domain highlighted, then saves it to the system as the filename “444.exe”.

Figure 6 -- Powershell
Figure 6 — Excerpt of PowerShell script

Next, the script grabs the path name of the above scripts, saves them to a variable, sleeps for 15 seconds, and runs “444.exe”.

Figure 7 -- Powershell excerpt
Figure 7 — PowerShell excerpt that executes “444.exe”

Once executed, the powershell script attempts to clean up by removing the other scripts used to execute it.

Figure 8 -- attempted cleanup
Figure 8 — Attempted cleanup for the malware

By looking in Wireshark, we can see the file being downloaded in Figure 9.

Figure 9 -- Malware being downloaded
Figure 9 — Malware being downloaded

While the malware is packed, we can find some interesting things about the malware by analyzing the memory. First, by grepping before and after “eu”, attempt to POST to “/log/index.php”, and feed the information back containing the string “0USER0”. (Figure 10.)

Figure 10 -- memory
Figure 10 — Memory dump of data being collected

By looking at the pcap (Figure 11) and decoding the data (Figure 12) we can see that the data is presented exactly as seen in the pcap.

Figure 11
Figure 11 — Data from pcap
Figure 12 -- decoded data
Figure 12 — Decoded data from pcap

We can see that the malware is  capable of copying contents from the clipboard as well as logging keystrokes. This data is then POSTed back to the attackers domain.

For a Yara signature, the attackers included a “vbaProject.bin” file in the docx file. The following Yara rule can help to pick up variants that contain this:

rule PM_docx_with_vba_bin

{

strings:

$a1 = “PK”

$a2 = “word/_rels/vbaProject.bin”

 

condition:

$a1 at 0 and $a2

}

The word document has a very low detection rate (4/56) and can be found here: https://www.virustotal.com/en/file/a8ee9b6f3dfd02957d2f9f8abada269cbf7257a0d5745f2bae63c2a6892b83c5/analysis/

Read More Related Phishing Blog Posts

1602 Village Market Blvd, SE #400
Leesburg, VA 20175

(888) 304-9422

Facebook-f Twitter Linkedin Youtube

Company

Resources

Get a Demo

Search

We use our own and third-party cookies to enhance your experience by showing you relevant content, personalizing our communications with you, and remembering your preferences when you visit our website. We also use them to improve the overall performance of our site. You can learn more about the cookies and similar technology we use by viewing our privacy policy. By clicking ‘Accept,’ you acknowledge and consent to our use of all cookies on our website.

Accept
This site is registered on wpml.org as a development site.