Earlier this month a cyber-security researcher shared details of a security loophole with The Stalker’s Security that affects all versions of Microsoft Office, allowing malicious actors to create and spread macro-based self-replicating malware.
Macro-based self-replicating malware, which basically allows a macro to write more macros, is not new among hackers, but to prevent such threats, Microsoft has already introduced a security mechanism in MS Office that by default limits this functionality.
Lino Antonio Buono, an Italian security researcher who works at InTheCyber, reported a simple technique (detailed below) that could allow anyone to bypass the security control put in place by Microsoft and create self-replicating malware hidden behind innocent-looking MS Word documents.
What’s Worse? Microsoft refused to consider this issue a security loophole when contacted by the researcher in October this year, saying it’s a feature intended to work this way only—just like MS Office DDE feature, which is now actively being used by hackers.
New ‘qkG Ransomware’ Found Using Same Self-Spreading Technique
Interestingly, one such malware is on its way to affect you. I know, that was fast—even before its public disclosure.
Just yesterday, Trend Micro published a report on a new piece of macro-based self-replicating ransomware, dubbed “qkG,” which exploits exactly the same MS office feature that Buono described to our team.
Trend Micro researchers spotted qkG ransomware samples on VirusTotal uploaded by someone from Vietnam, and they said this ransomware looks “more of an experimental project or a proof of concept (PoC) rather than a malware actively used in the wild.”
The qkG ransomware employs Auto Close VBA macro—a technique that allows executing malicious macro when victim closes the document.
The latest sample of qkG ransomware now includes a Bitcoin address with a small ransom note demanding $300 in BTC as shown.
It should be noted that the above-mentioned Bitcoin address hasn’t received any payment yet, which apparently means that this ransomware has not yet been used to target people.
Moreover, this ransomware is currently using the same hard-coded password: “I’m QkG@PTM17! by TNA@MHT-TT2” that unlocks affected files.
Here’s How this New Attack Technique Works
In order to make us understand the complete attack technique, Buono shared a video with The Stalker’s Security that demonstrates how an MS Word document equipped with malicious VBA code could be used to deliver a self-replicating multi-stage malware.
So, be secure and keep on visiting Stalker’s Security in order to get latest news about hacking