This attack makes uses of Macros and malicious documents. In the research which was performed by Trend Micro, it became clear that the macro which is hidden in the document, will search for desktop shortcuts, and it will replace the shortcut with malicious destinations. Once the user clicks on one of the shortcuts, the user will be redirected to download additional malware on the device.
The shortcuts which are targetted are:
- Google Chrome
- Mozilla Firefox
- Internet Explorer
Solutions and mitigation
This malware, from the use of its macro to its installation, exhibits very unusual behavior and is likely still under development. We believe that the malware is not widely spread and have had only a few victims so far. However, it is important to be aware of this malware and method of attack, as newer and improved versions may be in the works.
Microsoft has macros disabled by default, as they are aware of how malware actors exploit the embedded codes. Gaining familiarity with the system’s macro settings can help users make the best use of macro while still filtering attacks using the code, but it’s generally recommended to avoid downloading and enabling macro for documents from new or unknown sources.