Are Internet Macros Dead or Alive?

Affected platforms: Windows
Impacted parties: Windows Users
Impact: Potential to deploy additional malware for additional purposes
Severity level: Medium

In early February of 2022, Microsoft announced that Internet Macros would be blocked by default to improve the security of Microsoft Office. According to their blog published in late Feb 2023, this change began rolling out in some update channels in April 2022. Other channels followed in July and October 2022, with the final rollout in January 2023.

Office uses a specific algorithm to determine whether to run macros in files from the Internet. The process starts by checking the file attribute. If it has a Mark of the Web (MOTW) attribute, it verifies whether it is from a trusted location and performs other processes, and based on those outcomes, it decides whether to block or run the macro.

Since that announcement, we have observed that cyber threat actors have begun to test and adopt new infection vectors to replace Office macros. Several methods include using .hta, .lnk, and .chm files, targeting Office vulnerabilities (Equation Editor and Follina are the most common), and we have seen the use of xll files over the past year by cyber threat actors to distribute their malicious payloads.

The most common method employed by several cybercrime and nation-state actors is using ISO image files that usually contain a .lnk file and a dll payload to distribute their malware. In this method, the victim must execute the .lnk file, which leads to executing the dll file – commonly either a malicious payload or a downloader that grabs the next-stage payload. These ISO images are either directly attached to a spam/phishing email or have been dropped using other methods, like html smuggling, in which an html file is attached to the spam/phishing email, and by opening it, a malicious ISO file is dropped in the victim’s machine. We covered these techniques in blogs last year, here and here.

Even though several cyber threat actors have adopted TTPs to not use Office macros, we have observed several threat actors still relying on Office macros to initiate their attacks. In this blog post, we provide an overview of some of the interesting Office macro-embedded documents we observed early this year (some of these activities have already been reported on by security researchers on Twitter). It is worth mentioning that while some of the threat actors had multiple activities, we only cover one of them as an example in the post. But we added all the related IOCs in the IOC (Indicator of Compromise) section at the end of this blog.

Emotet

Emotet is a modular malware launched into the wild around 2014, operating as a banking malware in an organized botnet. But nowadays, Emotet mainly operates as a downloader for additional payloads such as IcedId, eventually deploying ransomware.

Emotet has adopted .lnk files as one of its distribution methods, using this method in mid-2022. On March 7 of this year, Emotet is back in operation, and this time the actor is using malicious documents to spread Emotet.

In this new campaign, malicious documents weaponized with macros are embedded in an archive file and used as attachments in spam emails. The lure they use is well-known, having been employed by these threat actors in their previous campaigns.

This is not the only template used in this campaign. We also observed that the actor had used another template to distribute Emotet.

All the URLs, strings, and file names are encoded in the macro. It also includes a decoder function to decode these strings. The decoder function receives three arguments: a hardcoded string, an array of numbers that are populated before calling the decoder function, and a size. The function has a loop with the provided size, and it uses a Mid function each time to find the proper character from the hardcoded string and append them together to build the string. The array of numbers shows which character needs to be selected. All function executions are performed by the CallByName function. This function executes a method of an object.

The macro first decodes all the encoded URLs and then creates a file name to store the Emotet payload. The file name is also decoded, which is the machine's current time. For example, if the time is 12:25:23, the file name will be 122523.tmp.

It then builds the required parameters for each URL and makes the HTTP request to get the Emotet payload. More specifically, it adds the current time (in the format used to create the .tmp file name) and a parameter to the end of the URL (usually, c=1).   

It performs the HTTP requests and checks on the status till it receives ‘200’, which means the server has responded. It then downloads the response body, which is a zip file, and saves it into the victim’s machine in the same location as the Word document is located. After that, it extracts the zip file and moves the contents of the archive file into that tmp file, whose name was created in the previous step. It then deletes both the zip file and the extracted directory. In the last step, it calls RegSvr32.exe to execute the payload.

Gozi ISFB

Gozi ISFB, also known as Ursnif, is a banking trojan that has been distributed through spam campaigns, exploit kits, and fake pages. Recently, this trojan has been distributed using various methods, such as .hta and .lnk files, but this trojan is also still being distributed using macro-based Excel documents. In a recent spam campaign on March 9^th, they used archive files containing macro-embedded Excel files as attachments to spam emails to target users in Italy.

The Excel document contains a macro that downloads and executes the Gozi payload. Enabling macros won’t activate the download execution since the primary function is executed when the end user clicks the “APRI (Open)” button. Clicking this button executes the “beneficiary” function. This function is simple. As you can see below, the download URL is encoded within the macro but has some numbers between each character. It then uses UrlDownloadToFileA to download the payload and save it into a .cvs file in the Document directory. It then uses the VBA.Shell function to execute the downloaded dll using rundll32. It also clears the cache of Internet Explorer using the Shell command.

Donot APT

Donot APT, also known as APT-C-35 and SectorE02, is a threat actor targeting organizations and individuals in South Asia – specifically, Bangladesh, Sri Lanka, Pakistan, and Nepal – since at least 2016.  This actor relies on spear-phishing emails weaponized with malicious documents to target its victims.

We have observed that the group still uses malicious documents to target its victims. We observed some maldocs being used by this actor in early 2023, and in this section, we will look at the most recent campaign run by this actor. Most of the maldocs we observed have a creation time of around 2021, but all were connected to domains created in the past 30 days. This suggests that the threat actor has reused maldocs previously made by them in their Feb and March 2023 campaign.

The embedded macro uses a combination of lesser-known APIs to inject a shellcode inside the memory of the Microsoft Office: NtAllocateVitualMemory, WideCharToMulitBytes, and Internal_EnumUILanguages. The Internal_EnumUIlanguages API is used as a callback to execute the shellcode. These API calls bypass blacklist detections that detect known functions in VBA, such as Shell and Run functions.

The injected shellcode connects to its C2s to get the next-stage payload. It also creates a scheduled task to make connections to its C2.

Besides what we analyzed here, we have also seen a malicious Word document used by this actor sometime around Jan 17^th of this year.

Confucius APT

Confucius is a threat actor primarily operating cyberespionage campaigns against Pakistan since 2013. This threat actor has used macro-based documents in its past campaigns and is still using the same method to initiate its current attacks. In one of their most recent operations, run in February of this year, they used macro-based documents to target the financial division of the government of Pakistan.  

The macro drops a text file into the Public/Pictures directory and then creates a scheduled task service to execute the text file at a specific time. In fact, the dropped txt file is a shellcode that will be executed by calling PowerShell.

powershell.EXE -w hidden iex([System.Text.Encoding]::ASCII).GetString((([string](get-content -path C:\Users\Public\Pictures\walpaper.jpeg.txt)).replace(' ','')).split(','))

SideCopy APT

SideCopy is a Pakistani threat actor primarily targeting India since at least 2019. The actor has used multiple methods. such as .lnk files, macro-based documents, and trojanized applications to initiate its attacks. In one of their most recent operations, they still used macro-embedded word documents to target the government of India.

The macro is simple. Its execution starts when a user closes the document. It connects to its server to download the content of a payload in text format, which it then converts to an executable and stores in the Startup directory to be executed after a machine reboot.

Unknown Actor

On March 1^st, we identified a new malicious document that might have targeted Vietnamese users. The malicious document was weaponized with a macro, yet another example of threat actors that still rely on macro-embedded documents to initiate their attacks.

The embedded macro drops an archive file that contains all the malicious files needed in this attack. The archive file contains batch scripts, PowerShell scripts, and dll files.

In the next step, it moves its archive file into the APPDATA/Microsoft directory and unzips it. The dlls embedded within the archive file perform the primary malicious activities. The macro is only responsible for loading the right dll file according to the OS version and then calling its export function. The dll file is responsible for creating three scheduled tasks (Script_Update, Windows_Executor, Windows_Update) and executing them at specific time intervals. Each scheduled task executes one of the scripts embedded within the archive file.

We also found another document associated with this actor that was uploaded to VirusTotal in December 2022. This may indicate that the actor has been active over the past few months.

Other Cyber Threat Actors

Besides what we have reported in the previous sections, we have also observed other actors still using macro-based documents to target their victims. Here are some of them:

-    Kimsuky used a macro-based document to target Korean-speaking people. The maldoc deploys Quasar Rat.

-      A threat actor targeted defense production factories in Pakistan in early February of this year. The actor used a macro-embedded Excel file to distribute its payload. Due to not having enough indicators, we are avoiding attributing this activity to any specific actor.

The macro is not obfuscated. It just downloads the payload from the server and stores it in the Startup directory as Notepad.exe.

Conclusion

This blog post provided an overview of threat actors still using macro-based Office documents. We showed several APT groups, such as Kimsuky, Donot, and SideCopy, and cyber-crime actors, such as Emotet, still relying on macro-based Office documents to initiate attacks and distribute their payloads. This research shows that although it has been over a year since Microsoft announced its intent to disable Internet macros, numerous threat actors still use those macros to distribute their malware. This suggests that security companies/people still need to be cautious about opening Office documents and update their software to the latest versions that block these macros by default.

Fortinet Protections

Fortinet customers are already protected from these APT and cyber-crime campaigns through FortiGuard’s AntiVirus, FortiMail, and FortiClient services, as follows:

 The following (AV) signatures detect the malicious documents mentioned in this blog:

VBA/Valyria.7853!tr
VBA/Agent.CVE!tr
VBA/Agent.6412!tr
VBA/Agent.YSM!tr
VBA/Agent.AEC!tr
VBA/Agent.YEU!tr
VBA/Agent.YVG!tr
VBA/Emotet.RES!tr

 Fortinet has multiple solutions designed to help train users to understand and detect phishing threats:

The FortiPhish Phishing Simulation Service uses real-world simulations to help organizations test user awareness and vigilance to phishing threats and to train and reinforce proper practices when users encounter targeted phishing attacks.

We also suggest that organizations have their end users undergo our FREE NSE training: NSE 1 – Information Security Awareness. It includes a module on Internet threats designed to help end users learn how to identify and protect themselves from various types of phishing attacks.

If you think this or any other cybersecurity threat has impacted your organization, contact our Global FortiGuard Incident Response Team.

Learn more about Fortinet’s FortiGuard Labs threat research and intelligence organization and the FortiGuard AI-powered security services portfolio.

IOCs