Reference: My reply to KAM's post: "Looking for a sample of the
Microsoft zero day print nightmare"
<RANT>
To continue my rant about the disconnect with the Security community,
this ThreatPost article pops up on my Google feed "Microsoft Office
Users Warned on New Malware-Protection Bypass". I think not. A typical
Microsoft Office user is "Joe Average", and good ol' Joe can't tell a
ThreatPost from a Fencepost. But five paragraphs down, this caught my
eye: "The initial attack vector is inbox-based phishing messages with
Word document attachments that contain no malicious code." Now we're
talking. Golly, maybe I can help! So, I read on...
Just a whole lot of uselessness for a Mail Admin: Unknown file
attachment name, Unknown From Name/Email Address, Unknown IP address,
Unknown message Sugject, Unknown message strings, etc. You can read the
post here:
https://threatpost.com/microsoft-office-malware-protection-bypass/167652/
ThreatPost is the media arm of McAfee (mostly), and within the article
is a link to an article by a couple of McAfee researchers, found here:
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/zloader-with-a-new-infection-technique/
The article goes to great lengths to explain that the observed
infections are mostly in the US and Canada. The Word document (without
macros) loads an external encrypted Excel file and through the power of
DDE, writes VBA macros into the Excel file, and then disables Macro
Warnings in the computer's registry. The coup de grâce is the download
and execution of ZLoader. Then its game over for "Joe Average".
Of course, there's a lot of excitement over the technical wizardry
therein; Word document analysis, VBA Code analysis, Excel Cell
Structures, and the like. But again, it is totally useless for Mail
Admins, who ultimately are in the best position to mitigate the
widespread distribution of this infection. Great researchers they may
be, but useful communicators they are NOT.
Both articles conclude with the statement "We suggest it is safe to
enable them (macros) only when the document received is from a trusted
source". I really don't understand that comment since the entire unique
nature of the exploit is to disable the macro warnings entirely. It
sure sounds like Emotet 2.0 in the making. So Anti-Virus/Malware
companies will hype up their products, Phishing companies create new
courses, and Firewall companies start blocking "11.php and 22.php's" and
all kinds of "heavenlygems". Everybody wants to sell a cure, but
mitigation be damned.
Maybe some 400-pound anti-spam nut in New Jersey would've stopped the
whole thing. We'll never know. We anti-spam folks are forced to sit on
the bench, waiting for another billion dollars in damages.
</RANT>
$0.02,
-- Jared Hall
