Malicious RTF Persistently Asks Users to Enable Macros

A malicious RTF (Rich Text Format) document has been persistently displaying an alert to ask users to enable macros, Zscaler security researchers have discovered.

As part of this unique infection chain, the malicious document forces the victims to execute an embedded VBA macro designed to download the QuasarRAT and NetWiredRC payloads.

While analyzing the attack, the security researchers discovered that the actor included macro-enabled Excel sheets inside the malicious RTF documents, to trick users into allowing the execution of payloads.

The RTF document features the .doc extension and is opened with Microsoft Word. When that happens, a macro warning popup is displayed, prompting the user to either enable or disable the macro.

However, the malicious RTF document repeatedly displays the warning popups even if the targeted user clicks on the “Disable Macros” button. By persistently displaying the alert, the malicious actor increases the chances for the user giving in and allowing the macro to run.

The analyzed malicious RTF contains 10 embedded Excel spreadsheets, meaning that the warning is displayed 10 times. Users can’t stop these popups unless they click through all of them or force-quit Word, Zscaler notes.

The attack relies on the use of “objupdate” control for the embedded Excel sheet objects (OLE object). This function would trigger the macro code inside the embedded Excel sheet when the RTF document is being loaded in Microsoft Word, thus causing the multiple macro warning popups to appear.

The same “objupdate” control was observed being abused in attacks leveraging the CVE-2017-0199 vulnerability that Microsoft patched in April last year. The new attack, however, does not exploit this vulnerability or another Office security flaw.

The actor behind this campaign used two variations of the malicious macro. The code executes a PowerShell command to download intermediate payloads using Schtasks and cmd.exe. By performing registry modifications, the malware would also permanently enable macros for Word, PowerPoint, and Excel.

The macro downloads a malicious VBS file which terminates all running Word and Excel instances, downloads a final payload using the HTTPS protocol and executes the payload.

Next, it enables macros for Office and disables protected view settings in the suite, creates a scheduled task to run the downloaded payload after 200 minutes, deletes the scheduled task, and downloads an additional payload to the same location.

Zscaler observed the attack dropping two Remote Access Trojans (RATs), namely NetwiredRC and QuasarRAT. NetwiredRC can find files, launch remote shell, log keystrokes, capture screen, steal passwords, and more. QuasarRAT is free and open source, and is believed to be an evolution of xRAT. It has features such as remote webcam, remote shell, and keylogging.

Related: Gaza Cybergang Uses QuasarRAT to Target Governments

Related: Microsoft Patches Office, IE Flaws Exploited in Attacks

Original author: Ionut Arghire