Attacks Against Banks Leverage Macros, PowerShell

Captain Awesome

Level 23
Thread author
Verified
Top Poster
Well-known
May 7, 2016
1,285
A series of attacks carried out against banks in the Middle East in early May were using unique scripts that are not commonly seen in crimeware campaigns, researchers at FireEye warn.

The attacks were carried out via emails containing macro-enabled Microsoft Excel files sent to bank employees. According to FireEye, the emails were targeted, with one such message supposedly containing the conversation between several employees and the contact details of employees from several banks.

When run, the malicious macro extracts base64-encoded content a worksheet, then checks for the presence of %PUBLIC%\Libraries\ update.vbs and creates three directories under%PUBLIC%\Libraries, should the file be missing. The initially extracted content is then decoded using PowerShell and dropped into %PUBLIC%\Libraries\update.vbs and%PUBLIC%\Libraries\dns.ps1. Next, the macro creates the GoogleUpdateTaskMachineUI scheduled task that executes update.vbs every three minutes.

FireEye’s researchers also observed that additional content was displayed after the macro executed successfully – a social engineering technique meant to convince victims that the macro was legitimately revealing additional spreadsheet data. Usually, no additional content is displayed after enabling the macros, but the attackers took the extra step in this campaign, in an attempt to eliminate possible suspicion.
Read More:Attacks Against Banks Leverage Macros, PowerShell | SecurityWeek.Com
 

_CyberGhosT_

Level 53
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Aug 2, 2015
4,286
Getting complex, thats sneaky, hence the "always playing catch up" motto
Nice share Capt. :)
PeAcE
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top