Excel malware attack is playing out new tricks

Media reported that malicious groups that profited by illegal means had recently played a new trick in Microsoft Excel software attacks. Cybercrime groups, known as TA505 and Sector Jo4, are known for using Necurs botnets like retail businesses and financial institutions to launch large-scale malicious spam attacks. Now, however, they have adopted a new set of tactics.

Excel malware attack is playing out new tricks

(Instagram via MSPU)

In the new scam, they are sending mail attachments with HTML redirectors and maliciously fabricated Excel documents.

When triggered, it is able to release remote access Trojans (RAT), distribute malware such as Dridex and Trick, and ransomware such as Locky, BitPaymer, Philadelphia, Globe, And Jaff.

Excel malware attack is playing out new tricks

“The new attack uses an HTML redirector attached to an e-mail message that opens and results in the download of Dudear malware, which carries a large number of macro operations and places a large load on the affected machine,” Microsoft’s security intelligence researchers said on Twitter.

In contrast, previous Dudear e-mail campaigns used malware as attachments or using malicious URLs.

Excel malware attack is playing out new tricks

Once users “enable editing” after opening a malicious document, they release malware to the system. Thereafter, the affected system is also infected with an IP traceability service that can be tracked by an attacker for IP boycotts of computers that have opened malicious Excel files.

In addition, the malware contains information-stealing Trojan Snare. It collects sensitive information and forwards it to attackers through command and control servers.