Microsoft warns users of new macro trick used to activate ransomware

Madeleine Dean By: Madeleine Dean
2 minute read

Home » News » Microsoft warns users of new macro trick used to activate ransomware

Researchers from Microsoft’s Malware Protection Center are warning users of a potentially high-risk new macro trick used by hackers to activate ransomware programs. The malicious macro targets Office apps and it’s a Word file that contains seven very skilfully hidden VBA modules and a VBA user form.

When researchers first checked the malicious macro, they could not detect it, as the VBA modules looked like legitimate SQL programs powered by a macro. After a second look, they realized the macro was actually a malicious code incorporating an encrypted string.

However, there wasn’t an immediate, obvious identification that this file was actually malicious. It’s a Word file that contains seven VBA modules and a VBA user form with a few buttons (using the CommandButton elements). […] However, after further investigation we noticed a strange string in the Caption field for CommandButton3 in the user form. […]

We went back and reviewed the other modules in the file, and sure enough – there’s something unusual going on in Module2. A macro there (UsariosConectados) decrypts the string in the Caption field for CommandButton3, which turns out to be a URL. It uses the deaultautoopen() macro to run the entire VBA project when the document is opened.

The macro connects to the URL (hxxp://clickcomunicacion.es/<uniqueid>) to download a payload detected as Ransom:Win32/Locky (SHA1: b91daa9b78720acb2f008048f5844d8f1649a5c4). It activates when users enable macros in Office files.

The only way to avoid getting your computer infected by viruses via Office-targeting macro-based malware is to enable macros only if you wrote them yourself, or you completely trust the person who wrote them. You can also install BitDefender’s AntiRansomware tool, a standalone tool, that doesn’t require Bitdefender security to be installed. Unlike other free security tools, BDAntiRansomware doesn’t pester you with ads.

Should you ever become the target of a ransomware attack, you can use this tool, ID Ransomware to identify the ransomware that encrypted your data. All you have to do is upload an infested file or the message the malware is displaying to your screen.  ID Ransomware can currently detect 55 types of ransomware but does not offer any file recovery services.

RELATED STORIES YOU NEED TO CHECK OUT:

Discussions

Next up

Here’s how to fix Minecraft fatal error on Windows 10

Tashreef Shareef avatar. By: Tashreef Shareef
4 minute read

Minecraft is a popular sandbox video game, but many users reported Fatal error in Minecraft. The Minecraft Fatal error can occur due to several reasons, […]

Continue Reading

Intel drivers are ready for Windows 10 May 2019 Update

Rabia Noureen avatar. By: Rabia Noureen
2 minute read

Intel recently rolled out new graphics driver updates for the 64-bit version of Windows 10 v1903. The company released these updates in order to avoid […]

Continue Reading

9 best tools to prevent your PC from sleeping or locking

Milan Stanojevic avatar. By: Milan Stanojevic
Less than a 1 minute read

By default your Windows 10 PC will lock itself or go to Sleep Mode in order to preserve power. Automatic locking can be useful because […]

Continue Reading