Office documents with malicious VBA macros are being used to drop the BlackEnergy malware, the Kasidet backdoor and the Dridex banking Trojan.
Kaspersky Lab says that the Russian APT group known for attacking energy targets is using malicious Microsoft Word documents and spear phishing emails to spread the BlackEnergy Trojan in Ukraine. Meanwhile, according to Zscaler, a virulent campaign has been using the same tactic in the last two weeks for more run-of-the-mill info-stealing.
The BlackEnergy threat group, which targets ICS/SCADA, energy, government and media in Ukraine and worldwide, has been using malicious Excel and PowerPoint files to spread destructive malware since last year. Kaspersky's Global Research and Analysis Team Director Costin Raiu said that the perpetrators have now moved on to using Word documents.
“The earliest signs of destructive payloads with BlackEnergy go back as far as June 2014,” he said in a blog. “However, the old versions were crude and full of bugs. In the recent attacks, the developers appear to have gotten rid of the unsigned driver which they relied upon to wipe disks at low level and replaced it with more high level wiping capabilities that focus on file extensions as opposed to disks.”
But it’s not just potentially state-sponsored APT groups that like the tactic.
“Malicious Office documents are a popular vector for malware authors to deliver their payloads,” said Zscaler researchers, in the analysis. “Dridex authors have leveraged this technique for over a year and it was interesting to see the same campaign and URLs being leveraged to deliver Kasidet payloads. While this does not establish any links between the two malware family authors, it reaffirms the fact that a lot of the underlying infrastructure and delivery mechanisms are often shared by these cyber criminals.”
Zscaler took a look at Kasidet and found that it installs itself and then sets about stealing data from infected machines using two methods: memory scraping and browser hooking.
Memory scraping allows Kasidet to steal credit-card data from the memory of point-of-sale (PoS) systems. Browser hooking meanwhile allows Kasidet to steal data from Web browsers. It can inject code into Mozilla FireFox, Google Chrome and Internet Explorer, and uses the same hash function as used by Carberp malware to encrypt the browser names.