A common tactic for threat actors is to leverage weaknesses in human behaviour. Over the years a combination of poor configuration has led people to ‘click YES’ syndrome. A common vector for attackers is to send emails with document attachments using either embedded macros or abusing Office document OLE functionality.

Below we have a live sample of a phishing document. As you can see it’s been styled in a similar fashion to the Office user interface.

The crafting here is designed to trick someone into clicking enable content, which would run embedded visual basic for applications macro.

We loaded this sample onto one of our research virtual machines to track the endpoint’s it connected to.

As you can see the method used to execute was a VBA macro using the ‘autoopen’ feature of Office.

C:\Users\Mr-R3b00t\AppData\Local\Microsoft\Windows\INetCache\Content.Word\i121^cimgpsh_orig.png

The macros code is obfuscated in a basic manner and password protected.

Investigating this it appears to connect to a server being hosted (not owned by) Microsoft Azure in Hong Kong (https://www.shodan.io/host/207.46.153.155)

Combating the threat

Ok so phishing is not a new tactic, yet it’s a common entry point for attacks into organisations. The key point here is how to combat this technique, below we provide some high level defensive options for combating phishing.

  • User awareness, training and phishing simulations
  • Disable macros (or limit execution)
  • Run up to date antivirus/antimalware/EDR solutions
  • Use a mail hygiene service
  • Use a web content filter/proxy service

Clearly on top of these standard security good practises should be adopted. The attackers are constantly updating their tactics, techniques and procedures (TTPs) to bypass and evade defensive countermeasures. Using a layered approach is going to give you the edge when protecting against phishing attacks.

Leave a Reply

Your email address will not be published. Required fields are marked *