{"id":2458,"date":"2021-07-10T17:43:43","date_gmt":"2021-07-10T12:13:43","guid":{"rendered":"https:\/\/xiarch.com\/blog\/?p=2458"},"modified":"2021-07-10T17:43:45","modified_gmt":"2021-07-10T12:13:45","slug":"hackers-use-advance-trick-to-disable-macro-security-warning-in-malicious-office-files","status":"publish","type":"post","link":"https:\/\/xiarch.com\/blog\/hackers-use-advance-trick-to-disable-macro-security-warning-in-malicious-office-files\/","title":{"rendered":"Hackers Use Advance Trick to Disable Macro Security Warning in Malicious Office Files"},"content":{"rendered":"\n
To trigger the infection chain directly it\u2019s a rule for phishing operations that distribute weaponries Microsoft Office documents to precise victims to enable macros, new researches show that attackers are using non-malicious documents to disable security warnings before run macro codes to harm victim\u2019s systems.<\/p><\/p>\n\n\n\n
Whereas in yet another detailed information of malware authors constant to emerge their tactics to bypass detections, researchers from McAfee Labs shuffle upon a traditional technique that \u201cdownloads and runs malicious DLLs (ZLoader) without any malicious code present in the first spammed attachment macro.\u201d<\/p><\/p>\n\n\n\n
What is ZLoader?<\/strong><\/h2>\n\n\n\n
According to the Cybersecurity Firm, ZLoader infections propagated using this mechanism have been generally reported in the U.S., Canada, Spain, Japan, and Malaysia. The Trojan \u2013 a descendant of the notorious ZeuS banking malware \u2013 is popular for destructively using macro-enabled Office documents as a basic attack vector to hijack sensitive data and personally discoverable information from users of targeted financial institutions.<\/p><\/p>\n\n\n\n
In research the interference, the investigators discover that the infection chain started with a phishing email that contains a Microsoft Word document attachment that, when launched, downloaded a password-protected Microsoft Excel file from a remote server. So it\u2019s worth noting that the micros required to be enabled in the Word document to prompt the download by its own.<\/p><\/p>\n\n\n\n
<\/figure><\/div>\n\n\n\n
How the Attack Chain Works?<\/strong><\/h2>\n\n\n\n
The researcher said that \u201cAfter downloading the XLS file, the word VBA go through the cell contents from XLS and generates a new macro for the same XLS file and writes the cell contents to XLS VBA macros as functions.\u201d Once the macros are written and ready, the Word document sets the policy in the documentary to \u2018Disable Excel Macro Warning\u2019 and targets the malicious macro function from the Excel sheet. The Excel file is now downloading the ZLoader payload. The ZLoader payloads are then run using rundll32.exe.<\/p><\/p>\n\n\n\n
<\/figure><\/div>\n\n\n\n
Providing the \u201csignificant security risk\u201d posed by macros, the features are commonly disabled by default, but the measure of count has had an inappropriate side effect of threat actors designing convincing social engineering appeals to manipulate the user into enabling them. By turning off the security warning presented to the user, the attacks are conspicuous because of the steps it takes to circumvent detection and stay under the sonar.<\/p><\/p>\n\n\n\n
\u201cMalicious documents have been an access points for most of the malware families and these adversaries have been expanding their infection tactics and complexity, not just restricting to direct downloads of payloads from VBA, but making agents dynamically to download payloads,\u201d An investigator said. \u201cManagement of such agents in the infection chain is not only limited to Word or Excel, but many more threats might use other living off the land tools to download its payloads. \u201d<\/p><\/p>\n","protected":false},"excerpt":{"rendered":"
To trigger the infection chain directly it\u2019s a rule for phishing operations that distribute weaponries Microsoft Office documents to precise victims to enable macros, new researches show that attackers are using non-malicious documents to disable security warnings before run macro codes to harm victim\u2019s systems. Whereas in yet another detailed information of malware authors constant […]<\/p>\n","protected":false},"author":2,"featured_media":2460,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[15],"tags":[],"yoast_head":"\n
Hackers Use Advance Trick to Disable Macro Security Warning in Malicious Office Files - Xiarch Solutions Private Limited<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/xiarch.com\/blog\/hackers-use-advance-trick-to-disable-macro-security-warning-in-malicious-office-files\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Hackers Use Advance Trick to Disable Macro Security Warning in Malicious Office Files - Xiarch Solutions Private Limited\" \/>\n<meta property=\"og:description\" content=\"To trigger the infection chain directly it\u2019s a rule for phishing operations that distribute weaponries Microsoft Office documents to precise victims to enable macros, new researches show that attackers are using non-malicious documents to disable security warnings before run macro codes to harm victim\u2019s systems. Whereas in yet another detailed information of malware authors constant […]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/xiarch.com\/blog\/hackers-use-advance-trick-to-disable-macro-security-warning-in-malicious-office-files\/\" \/>\n<meta property=\"og:site_name\" content=\"Xiarch Solutions Private Limited\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/xiarch\/\" \/>\n<meta property=\"article:published_time\" content=\"2021-07-10T12:13:43+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2021-07-10T12:13:45+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2021\/07\/Hackers-Use-Advance-Trick-to-Disable-Macro-Security-Warning-in-Malicious-Office-Files-featured-image.png\" \/>\n\t<meta property=\"og:image:width\" content=\"1000\" \/>\n\t<meta property=\"og:image:height\" content=\"525\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"Xiarch Security\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@xiarch\" \/>\n<meta name=\"twitter:site\" content=\"@xiarch\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Xiarch Security\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/xiarch.com\/blog\/hackers-use-advance-trick-to-disable-macro-security-warning-in-malicious-office-files\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/xiarch.com\/blog\/hackers-use-advance-trick-to-disable-macro-security-warning-in-malicious-office-files\/\"},\"author\":{\"name\":\"Xiarch Security\",\"@id\":\"https:\/\/xiarch.com\/blog\/#\/schema\/person\/655d814a04eacce56942270cfdc5c59c\"},\"headline\":\"Hackers Use Advance Trick to Disable Macro Security Warning in Malicious Office Files\",\"datePublished\":\"2021-07-10T12:13:43+00:00\",\"dateModified\":\"2021-07-10T12:13:45+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/xiarch.com\/blog\/hackers-use-advance-trick-to-disable-macro-security-warning-in-malicious-office-files\/\"},\"wordCount\":466,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/xiarch.com\/blog\/#organization\"},\"articleSection\":[\"Infosec News\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/xiarch.com\/blog\/hackers-use-advance-trick-to-disable-macro-security-warning-in-malicious-office-files\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/xiarch.com\/blog\/hackers-use-advance-trick-to-disable-macro-security-warning-in-malicious-office-files\/\",\"url\":\"https:\/\/xiarch.com\/blog\/hackers-use-advance-trick-to-disable-macro-security-warning-in-malicious-office-files\/\",\"name\":\"Hackers Use Advance Trick to Disable Macro Security Warning in Malicious Office Files - Xiarch Solutions Private Limited\",\"isPartOf\":{\"@id\":\"https:\/\/xiarch.com\/blog\/#website\"},\"datePublished\":\"2021-07-10T12:13:43+00:00\",\"dateModified\":\"2021-07-10T12:13:45+00:00\",\"breadcrumb\":{\"@id\":\"https:\/\/xiarch.com\/blog\/hackers-use-advance-trick-to-disable-macro-security-warning-in-malicious-office-files\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/xiarch.com\/blog\/hackers-use-advance-trick-to-disable-macro-security-warning-in-malicious-office-files\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/xiarch.com\/blog\/hackers-use-advance-trick-to-disable-macro-security-warning-in-malicious-office-files\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/xiarch.com\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Hackers Use Advance Trick to Disable Macro Security Warning in Malicious Office Files\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/xiarch.com\/blog\/#website\",\"url\":\"https:\/\/xiarch.com\/blog\/\",\"name\":\"Xiarch Solutions Private Limited\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\/\/xiarch.com\/blog\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/xiarch.com\/blog\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/xiarch.com\/blog\/#organization\",\"name\":\"Xiarch\",\"url\":\"https:\/\/xiarch.com\/blog\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/xiarch.com\/blog\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2021\/06\/xi-logo-002.png\",\"contentUrl\":\"https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2021\/06\/xi-logo-002.png\",\"width\":300,\"height\":300,\"caption\":\"Xiarch\"},\"image\":{\"@id\":\"https:\/\/xiarch.com\/blog\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/xiarch\/\",\"https:\/\/twitter.com\/xiarch\",\"https:\/\/www.linkedin.com\/company\/xiarch\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/xiarch.com\/blog\/#\/schema\/person\/655d814a04eacce56942270cfdc5c59c\",\"name\":\"Xiarch Security\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/xiarch.com\/blog\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/d33699ed91b76568586dc1ae278ea568?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/d33699ed91b76568586dc1ae278ea568?s=96&d=mm&r=g\",\"caption\":\"Xiarch Security\"},\"sameAs\":[\"https:\/\/xiarch.com\/blog\/\"],\"url\":\"https:\/\/xiarch.com\/blog\/author\/vector\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Hackers Use Advance Trick to Disable Macro Security Warning in Malicious Office Files - Xiarch Solutions Private Limited","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/xiarch.com\/blog\/hackers-use-advance-trick-to-disable-macro-security-warning-in-malicious-office-files\/","og_locale":"en_US","og_type":"article","og_title":"Hackers Use Advance Trick to Disable Macro Security Warning in Malicious Office Files - Xiarch Solutions Private Limited","og_description":"To trigger the infection chain directly it\u2019s a rule for phishing operations that distribute weaponries Microsoft Office documents to precise victims to enable macros, new researches show that attackers are using non-malicious documents to disable security warnings before run macro codes to harm victim\u2019s systems. Whereas in yet another detailed information of malware authors constant […]","og_url":"https:\/\/xiarch.com\/blog\/hackers-use-advance-trick-to-disable-macro-security-warning-in-malicious-office-files\/","og_site_name":"Xiarch Solutions Private Limited","article_publisher":"https:\/\/www.facebook.com\/xiarch\/","article_published_time":"2021-07-10T12:13:43+00:00","article_modified_time":"2021-07-10T12:13:45+00:00","og_image":[{"width":1000,"height":525,"url":"https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2021\/07\/Hackers-Use-Advance-Trick-to-Disable-Macro-Security-Warning-in-Malicious-Office-Files-featured-image.png","type":"image\/png"}],"author":"Xiarch Security","twitter_card":"summary_large_image","twitter_creator":"@xiarch","twitter_site":"@xiarch","twitter_misc":{"Written by":"Xiarch Security","Est. reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/xiarch.com\/blog\/hackers-use-advance-trick-to-disable-macro-security-warning-in-malicious-office-files\/#article","isPartOf":{"@id":"https:\/\/xiarch.com\/blog\/hackers-use-advance-trick-to-disable-macro-security-warning-in-malicious-office-files\/"},"author":{"name":"Xiarch Security","@id":"https:\/\/xiarch.com\/blog\/#\/schema\/person\/655d814a04eacce56942270cfdc5c59c"},"headline":"Hackers Use Advance Trick to Disable Macro Security Warning in Malicious Office Files","datePublished":"2021-07-10T12:13:43+00:00","dateModified":"2021-07-10T12:13:45+00:00","mainEntityOfPage":{"@id":"https:\/\/xiarch.com\/blog\/hackers-use-advance-trick-to-disable-macro-security-warning-in-malicious-office-files\/"},"wordCount":466,"commentCount":0,"publisher":{"@id":"https:\/\/xiarch.com\/blog\/#organization"},"articleSection":["Infosec News"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/xiarch.com\/blog\/hackers-use-advance-trick-to-disable-macro-security-warning-in-malicious-office-files\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/xiarch.com\/blog\/hackers-use-advance-trick-to-disable-macro-security-warning-in-malicious-office-files\/","url":"https:\/\/xiarch.com\/blog\/hackers-use-advance-trick-to-disable-macro-security-warning-in-malicious-office-files\/","name":"Hackers Use Advance Trick to Disable Macro Security Warning in Malicious Office Files - Xiarch Solutions Private Limited","isPartOf":{"@id":"https:\/\/xiarch.com\/blog\/#website"},"datePublished":"2021-07-10T12:13:43+00:00","dateModified":"2021-07-10T12:13:45+00:00","breadcrumb":{"@id":"https:\/\/xiarch.com\/blog\/hackers-use-advance-trick-to-disable-macro-security-warning-in-malicious-office-files\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/xiarch.com\/blog\/hackers-use-advance-trick-to-disable-macro-security-warning-in-malicious-office-files\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/xiarch.com\/blog\/hackers-use-advance-trick-to-disable-macro-security-warning-in-malicious-office-files\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/xiarch.com\/blog\/"},{"@type":"ListItem","position":2,"name":"Hackers Use Advance Trick to Disable Macro Security Warning in Malicious Office Files"}]},{"@type":"WebSite","@id":"https:\/\/xiarch.com\/blog\/#website","url":"https:\/\/xiarch.com\/blog\/","name":"Xiarch Solutions Private Limited","description":"","publisher":{"@id":"https:\/\/xiarch.com\/blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/xiarch.com\/blog\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/xiarch.com\/blog\/#organization","name":"Xiarch","url":"https:\/\/xiarch.com\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/xiarch.com\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2021\/06\/xi-logo-002.png","contentUrl":"https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2021\/06\/xi-logo-002.png","width":300,"height":300,"caption":"Xiarch"},"image":{"@id":"https:\/\/xiarch.com\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/xiarch\/","https:\/\/twitter.com\/xiarch","https:\/\/www.linkedin.com\/company\/xiarch"]},{"@type":"Person","@id":"https:\/\/xiarch.com\/blog\/#\/schema\/person\/655d814a04eacce56942270cfdc5c59c","name":"Xiarch Security","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/xiarch.com\/blog\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/d33699ed91b76568586dc1ae278ea568?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/d33699ed91b76568586dc1ae278ea568?s=96&d=mm&r=g","caption":"Xiarch Security"},"sameAs":["https:\/\/xiarch.com\/blog\/"],"url":"https:\/\/xiarch.com\/blog\/author\/vector\/"}]}},"_links":{"self":[{"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/posts\/2458"}],"collection":[{"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/comments?post=2458"}],"version-history":[{"count":1,"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/posts\/2458\/revisions"}],"predecessor-version":[{"id":2463,"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/posts\/2458\/revisions\/2463"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/media\/2460"}],"wp:attachment":[{"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/media?parent=2458"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/categories?post=2458"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/tags?post=2458"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
![\"Hackers-Use-Advance-Trick-to-Disable-Macro-Security-Warning-in-Malicious-Office-Files-image1\"](\"https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2021\/07\/Hackers-Use-Advance-Trick-to-Disable-Macro-Security-Warning-in-Malicious-Office-Files-image1.jpg\")
<\/figure><\/div>\n\n\n\n![\"Hackers-Use-Advance-Trick-to-Disable-Macro-Security-Warning-in-Malicious-Office-Files-image2\"](\"https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2021\/07\/Hackers-Use-Advance-Trick-to-Disable-Macro-Security-Warning-in-Malicious-Office-Files-image2.jpg\")
<\/figure><\/div>\n\n\n\n