Threat Alert

by IthacaLabs™

THREAT LEVEL/High 09/07/2021

New Technique for Disabling Macro Security Warnings in Malicious Office Files found.

Threat Level Description

Threat Level: High – An attack is highly likely. Additional and sustainable protective security measures reflecting the broad nature of the threat combined with specific business and geographical vulnerabilities and judgments on acceptable risk.


We have observed that a new technique for disabling macro security warnings in malicious Office files is utilized in sophisticated phishing campaigns.

Malicious actors, by utilizing this technique, could trick users to open malicious Office files in order to download malware and execute arbitrary code. Thus, the attackers could compromise the affected systems.

While it’s a norm for phishing campaigns, that distribute weaponized Microsoft Office documents, to prompt victims to enable macros in order to trigger the infection chain directly, new findings indicate attackers are using non-malicious documents to disable security warnings, prior to executing macro code to infect victims’ computers.

Researchers have identified an instance of this evasion technique, where malicious DLLs (ZLoader) are downloaded and executed without any malicious code present in the initial Microsoft Office file’s attachment macro.

The infection chain of this attack started with a phishing email containing a Microsoft Word document attachment that, when opened, downloaded a password-protected Microsoft Excel file from a remote server. Although, macros need to be enabled in the Word document to trigger the download itself.

After downloading the XLS file, the Word VBA reads the cell contents from XLS and creates a new macro for the same XLS file and writes the cell contents to XLS VBA macros as “functions”. Once the macros are written and ready, the Word document sets the policy in the registry to ‘Disable Excel Macro Warning’ and invokes the malicious macro function from the Excel file. The Excel file then downloads the ZLoader payload that is executed using “rundll32.exe”.

The ZLoader malware, a descendant of the infamous ZeuS banking trojan, is well known for aggressively using macro-enabled Office documents as an initial attack vector to steal credentials and personally identifiable information from users of targeted financial institutions.

It is worthy to note that malicious documents have been an entry point for most malware families and these attacks have been evolving their infection techniques and obfuscation, creating agents dynamically to download payloads. Usage of such agents in the infection chain is not only limited to Word or Excel, but future attacks may use other tools to download its payloads.



Affected Systems

  • N/A


The guidelines below will help you protect against e-Fraud and its associated security threats:
* Do not open e-mail from unknown sources. Be suspicious of emails purporting to be from financial institution, government department, or other agency requesting account information, account verification or banking access credentials such as usernames, passwords, PIN codes, and similar information. Opening file attachments on clicking on web links in suspicious emails could expose your system to malicious code that could hijack your computer.
* Never respond to a suspicious email or click on any hyperlink embedded in a suspicious email. Call the purported source if you are unsure who sent an email.
* If an email claiming to be from your financial organization seems suspicious, checking with your financial organization may be appropriate.
* Consider enabling the “”Show hidden file-extensions””. One way that ransomware such as Cryptolocker frequently arrives is in a file that is named with the extension “.PDF.EXE”, counting on Window’s default behavior of hiding known file-extensions.
* Filter executable files in email. If your email gateway has the ability to filter files by extension, you may wish to deny mails sent with “.exe”, “”.scr””, “”.bat”” files, or to deny mails sent with files that have two file extensions, the last one being executable.
* Disable files running from AppData/LocalAppData folders. You can create rules within Windows or with Host Intrusion Prevention software, to disallow a particular, notable behavior used by malware, which is to run its executable from the App Data or Local App Data folders.
* Disable macros in Microsoft Office files. Most people may not be aware that Microsoft Office Files are like a file-system within a file system, which includes the ability to use a powerful scripting language to automate almost any action you could perform with a full executable file. By disabling macros in Office files, you deactivate the use of this scripting language.
* Install anti-virus and spyware detection software on all computer systems. Free software may not provide protection against the latest threats compared with an industry standard product.
* Update your computers regularly with the latest versions and patches of both antivirus and antispyware software.
* Ensure computers are patched regularly, particularly operating system and key application with security patches.
* Use a comprehensive Antispam Gateway Appliance. Businesses can better protect against spam by deploying a purpose-built e-mail gateway appliance at the network perimeter.
* It is strongly recommended to implement a Security Awareness program, addressed to all your management and staff, designed to increase the level of understanding regarding Social Engineering and security threats in general.


Get the latest Threat Alerts in your inbox.