This dreaded malware pretends to be Windows Update to hide


Computer attacks are increasing in 2022, so it is wise to install a good antivirus on your machine. SafeBreach researchers announce the discovery of a new malware campaign involving a Word file and an astonishing cloaking technique.

After investigation it appears that the attack was part of a LinkedIn phishing attempt. Victims were likely to download a corrupt Word file with a macro at some point during the scam. The file, uploaded in Jordan on August 25, 2022 according to metadata, then kicks off a series of actions.

Stealth malware spreads via Office macros before hiding in Windows Update

The malware notably copies an updater.vbs file to the machine before creating a scheduled task that tries to impersonate a part of Windows Update, the Windows update component. Updater.vbs is placed by the macro in %appdata%\local\Microsoft\Windows, to better blend in with system files.

The malware then downloads a PowerShell script, designed to interface with the hackers’ command and control center. It is this script that retrieves the commands to run on the victim’s machine in the form of a second PowerShell script.

Fortunately, the hacker(s) behind the malware obviously failed to completely cover their tracks. This allowed researchers to determine the precise functionality of the malware. Indeed, each victim was identified by an identifier which increases in sequence (0, 1, 2, 3 etc…) and the researchers were therefore able to more easily understand which commands were sent to which victim.

And most importantly rebuild commands from hackers to malware. We know that the program can exfiltrate the list of running processes, send a list of files in specific folders, run whoami, and delete files in the user’s public folder. Everything indicates that the malware was designed for intelligence purposes.

A large part of the antivirus available in 2022 is able to detect and remove malware. The Hacker News talks about 32 anti-virus vendors and 18 anti-malware agents updated to detect this new threat. For its part, Microsoft has long been aware of the risks posed by Macros in Office documents.

The firm has thus chosen to block Excel 4.0 macros (XLM or XL4) and macros written in VBA by default, pushing hackers to find new ways to infect their target. Still, many users, mainly in business, continue to use Office documents that may contain macros. This allows actors to better target their victim.

Leave A Reply

Your email address will not be published.

rabit tradon seo tool seo hyperlink with keyword generate reset