Malware authors are increasingly devising new tricks using non-malicious documents to disable macro security warnings prior to executing code to infect computers. According to researchers at McAfee Labs, there is a novel tactic used by hackers that "downloads and executes malicious DLLs (ZLoader) without any malicious code present in the initial spammed attachment macro."
The researchers discovered that ZLoader infections which propagated using this mechanism was started with phishing email that contains a Microsoft Word document attachment, that if opened, downloads a password-protected Microsoft Excel file from a remote server.
How Hackers uses the New Trick to Disable Macro Warnings in Malicious Office Files?
ZLoader infections primarily targeted victims in the U.S., Canada, Japan, and Spain, and was a descendant of the infamous banking trojan, ZeuS, that is known for aggressively employing macro-enabled Office documents as initial attack vector to steal personally identifiable information from users of financial institutions.
After downloading the XLS file, it reads the cell contents from the XLS and creates a new macro for the same XLS file and writes the cell contents to XLS VBA macros as functions, and once the macros are written and ready, the Word document sets the policy in the registry to 'Disable Excel Macro Warning' which invokes the malicious macro function from the Excel file.
While macros are needed to be enabled in the Word document to trigger the download itself, but simply turning off the security warning, the attackers were able to stay undetected, and the obfuscation techniques used by these attackers have been evolving over the years.
Interestingly, the malware did not only lure users into enabling macros, but also have embedded files containing XLM macros which download and execute malicious second-stage payload that is retrieved from a remote server.