The Microsoft Malware Protection Center (MMPC) has warned Office users to be wary of any macros that come as an attachment in emails and social engineering sites.
The MMPC has witnessed a steady increase in enable-macros based malware in the recent months. Macros are codes in Microsoft Office that allow automation of processes to improve productivity.
Two of the most active malware of this category include Adnel and Tarbir (a kind of Trojan downloaders), both targeting the US- and UK-based home users and enterprise customers.
“The combination of the instructional document, spam email with supposed monetary content, and a seemingly relevant file name, can be enough to convince an unsuspecting user to click the Enable Content button,” said the MMPC website report.
Various subjects used in spam emails :
- ACH Transaction Report
- DOC-file for report is ready
- Invoice as requested
- Invoice – P97291
- Order – Y24383
- Payment Details
- Remittance Advice from Engineering Solutions Ltd
- Your Automated Clearing House Transaction Has Been Put On
The email attachments in the Adnel and Tarbir campaigns using the attachment file names similar to those below:
- 20140918_122519.doc
- 813536MY.xls
- ACH Transfer 0084.doc
- Automated Clearing House transfer 4995.doc
- BAC474047MZ.xls
- BILLING DETAILS 4905.doc
- CAR014 151239.doc
- ID_2542Z.xls
- Fuel bill.doc
- ORDER DETAILS 9650.doc
- Payment Advice 593016.doc
- SHIPPING DETAILS 1181.doc
- SHIP INVOICE 1677.doc
- SHIPPING NO.doc
Microsoft Office’s default settings are set to “Disable all macros with notification.” Hence, the malicious emails prompt users to enable the macros manually. Once that is done, malware code infects the system.
