Macro-based self-replicating malware, which basically allows a macro to write to a greater extent than macros, is non novel amidst hackers, but to forestall such threats, Microsoft has already introduced a safety machinery inward MS Office that past times default limits this functionality.
Lino Antonio Buono, an Italian safety researcher who industrial plant at InTheCyber, reported a uncomplicated technique (detailed below) that could permit anyone to bypass the safety command seat inward house past times Microsoft as well as practise self-replicating malware hidden behind innocent-looking MS Word documents.
What's Worse? Microsoft refused to see this number a safety loophole when contacted past times the researcher inward Oct this year, maxim it's a characteristic intended to piece of employment this way only—just similar MS Office DDE feature, which is directly actively beingness used past times hackers.
New 'qkG Ransomware' Found Using Same Self-Spreading Technique
Interestingly, i such malware is on its way to touching you. I know, that was fast—even earlier its world disclosure.
Just yesterday, Trend Micro published a study on a novel slice of macro-based self-replicating ransomware, dubbed "qkG," which exploits just the same MS business office characteristic that Buono described to our team.
Trend Micro researchers spotted qkG ransomware samples on VirusTotal uploaded past times individual from Vietnam, as well as they said this ransomware looks "more of an experimental projection or a proof of concept (PoC) rather than a malware actively used inward the wild."
The qkG ransomware employs Auto Close VBA macro—a technique that allows executing malicious macro when victim closes the document.
It should hold upwards noted that the above-mentioned Bitcoin address hasn't received whatever payment yet, which evidently agency that this ransomware has non withal been used to target people.
Moreover, this ransomware is currently using the same hard-coded password: "I’m QkG@PTM17! past times TNA@MHT-TT2" that unlocks affected files.
Here's How this New Attack Technique Works
If y'all are unaware, Microsoft has disabled external (or untrusted) macros past times default as well as to trammel default programmatic access to Office VBA projection object model, it besides offers users to manually enable "Trust access to the VBA projection object model," whenever required.
Buono institute that this setting tin hold upwards enabled/disabled simply past times editing a Windows registry, eventually enabling the macros to write to a greater extent than macros without user's consent as well as knowledge.
Victims Will hold upwards Unknowingly Responsible for Spreading Malware Further
In other words, if the victim mistakenly allows the malicious MD file to run macros once, his/her organisation would rest opened upwards to macro-based attacks.
Moreover, the victim volition besides hold upwards unknowingly responsible for spreading the same malicious code to other users past times sharing whatever infected business office files from his/her system.
This assault technique could hold upwards to a greater extent than worrisome when y'all have a malicious MD file from a trusted contact who induce got already been infected amongst such malware, eventually turning y'all into its side past times side assault vector for others.
Although this technique is non beingness exploited inward the wild, the researcher believes it could hold upwards exploited to spread unsafe self-replicating malware that could hold upwards hard to bargain amongst as well as seat an end.
Since this is a legitimate feature, nigh antivirus solutions practise non flag whatever alert or block MS Office documents amongst VBA code, neither the tech society has whatever plans of issuing a spell that would trammel this functionality.
Buono suggests "In gild to (partially) mitigate the vulnerability it is possible to motion the AccessVBOM registry cardinal from the HKCU hive to the HKLM, making it editable exclusively past times the organisation administrator."
The best way to protect yourself from such malware is ever to hold upwards suspicious of whatever uninvited documents sent via an e-mail as well as never click on links within those documents unless adequately verifying the source.
