Don’t ‘Enable Macro if you can’t read the entire document’!

9 April 2016

Since some weeks so-called file-less malware is experiencing a new boom. File-less malware is used in cyber-attacks for some years now. New is, that no executable is downloaded from a C&C server. Once the Trojan has become persistent it downloads a PowerShell script from the C&C server and uses PowerShell for encrypting the victim’s files.

PowerShell gives the attacker access to the Windows cryptographic functions. In this case, the AES standard is used. For more details, please see this analysis on malwr.com.

Actually, this is nothing new. Even the delivery method, in this case a spear phishing attack with a Word document, is well-known. And in the case that editing is deactivated for security reasons, the attacker provides concise instructions for activation:

PowerWare Ransomware Instructions to disable Macro Security

PowerWare Ransomware Instructions to disable Macro Security. Picture Credits: Carbonblack.com

The great challenge is to keep user awareness high. Hopefully this will prevent users to go ahead as follows:

Have a good weekend.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s