Microsoft Warns Users of New Malware Attack via a Disguised Excel Attachment

The new campaign uses malicious macro functions in an Excel attachment to attack Windows PCs.

By Tasneem Akolawala | Updated: 25 June 2019 13:19 IST

Microsoft Warns Users of New Malware Attack via a Disguised Excel Attachment

Photo Credit: Twitter/ Microsoft Security Intelligence

Microsoft has warned users of a new malware campaign

Highlights

The new malware campaign kicks off with an email and an attachment
A malicious file is installed, delivering the FlawedAmmyyy malware
The malware campaign is targeted towards Korean users

Microsoft is drawing attention to a new malware attack that infects Windows systems using its own Office software's macro functions. A new malware campaign is doing the rounds and it essentially employs a complex infection chain to download and run the notorious FlawedAmmyy RAT malware directly in memory. The attack starts with an email and .xls attachment with content in the Korean language, indicating that it is primarily targeting Korean users. It uses malicious macro functions in an Excel attachment to attack Windows PCs.

According to security firm Proofpoint, the malicious campaign has been started by a group called TA505. They have been responsible for similar attacks in the past, the security firm says, and this particular latest trick involves a malicious email and an Excel attachment that Microsoft warns users from opening.

"When opened, the .xls file automatically runs a macro function that runs msiexec.exe, which in turn downloads an MSI archive. The MSI archive contains a digitally signed executable that is extracted and run[s], and that decrypts and runs another executable in memory," Microsoft notes in its series of tweets.

A file called wsus.exe is then downloaded and decrypted, and it is intelligently designed to pass off as the official Microsoft Windows Service Update Service (WSUS). It is digitally signed on June 19, and decrypts the payload in RAM, delivering the FlawedAmmyy payload.

Microsoft says that its Threat Protection defends customers from this attack. “Cloud-based machine learning protections in Microsoft Defender ATP blocked all of the components of this attack at first sight, including the FlawedAmmyy RAT payload. Office 365 ATP detects the email campaign,” the company notes.

Comments

For the latest tech news and reviews, follow Gadgets 360 on X, Facebook, WhatsApp, Threads and Google News. For the latest videos on gadgets and tech, subscribe to our YouTube channel. If you want to know everything about top influencers, follow our in-house Who'sThat360 on Instagram and YouTube.