- May 7, 2016
- 1,311
A series of attacks carried out against banks in the Middle East in early May were using unique scripts that are not commonly seen in crimeware campaigns, researchers at FireEye warn.
The attacks were carried out via emails containing macro-enabled Microsoft Excel files sent to bank employees. According to FireEye, the emails were targeted, with one such message supposedly containing the conversation between several employees and the contact details of employees from several banks.
When run, the malicious macro extracts base64-encoded content a worksheet, then checks for the presence of %PUBLIC%\Libraries\ update.vbs and creates three directories under%PUBLIC%\Libraries, should the file be missing. The initially extracted content is then decoded using PowerShell and dropped into %PUBLIC%\Libraries\update.vbs and%PUBLIC%\Libraries\dns.ps1. Next, the macro creates the GoogleUpdateTaskMachineUI scheduled task that executes update.vbs every three minutes.
FireEye’s researchers also observed that additional content was displayed after the macro executed successfully – a social engineering technique meant to convince victims that the macro was legitimately revealing additional spreadsheet data. Usually, no additional content is displayed after enabling the macros, but the attackers took the extra step in this campaign, in an attempt to eliminate possible suspicion.
Read More:Attacks Against Banks Leverage Macros, PowerShell | SecurityWeek.Com
The attacks were carried out via emails containing macro-enabled Microsoft Excel files sent to bank employees. According to FireEye, the emails were targeted, with one such message supposedly containing the conversation between several employees and the contact details of employees from several banks.
When run, the malicious macro extracts base64-encoded content a worksheet, then checks for the presence of %PUBLIC%\Libraries\ update.vbs and creates three directories under%PUBLIC%\Libraries, should the file be missing. The initially extracted content is then decoded using PowerShell and dropped into %PUBLIC%\Libraries\update.vbs and%PUBLIC%\Libraries\dns.ps1. Next, the macro creates the GoogleUpdateTaskMachineUI scheduled task that executes update.vbs every three minutes.
FireEye’s researchers also observed that additional content was displayed after the macro executed successfully – a social engineering technique meant to convince victims that the macro was legitimately revealing additional spreadsheet data. Usually, no additional content is displayed after enabling the macros, but the attackers took the extra step in this campaign, in an attempt to eliminate possible suspicion.
Read More:Attacks Against Banks Leverage Macros, PowerShell | SecurityWeek.Com
