The Sneaky Way Macro-Based Malware Installs Backdoors

Cybersecurity researchers have detected an unusual breed of malware that modifies shortcut files on desktops to secretly download backdoor programs. I a recent blog past, Loseway Lu, a researcher at Trend Micro, discusses this malicious new software in detail. “Despite being around for decades, cybercriminals are still using a malicious macro to deliver malware, albeit in more creative ways—to make them more effective.

The threat actors behind a recent case used the macro in a more roundabout way, with a macro that searches for specific shortcut files in the user’s system, which it replaces with one that points to its downloaded malware. The downloaded malware executes when the user clicks on the modified desktop shortcut.”

The writer goes on to explain that once executed, the malware restores the original shortcut file and opens the correct application. Moreover, instead of using its own tools, the malware downloads common ones available on the internet—like various Windows tools, WinRAR, and Ammyy Admin—to gather and send back information to the hackers via SMTP.

The malware, which shows very unusual behavior, appears to still be in the development phase, as it does not yet appear to be widespread. There have only been a few victims so far. Trend Micro researchers first detected a sample, which originated in the form of a seemingly innocent document, written in proper English and decorated by the image of a house. In a phishing-like scam, the user is prompted to open the document using macros, and once that’s done, their system is compromised.

Loseway Lu’s blog goes on to explain, “Once the user enables macros, it then tries to search for shortcut files on the user’s desktop to replace to its corresponding linked files. It targets mainly five shortcuts, that of Skype, Google Chrome, Mozilla Firefox, Opera, and Internet Explorer. Once it finds a match, it downloads the malware according to its name and environment, like Google Drive and GitHub. When inspected more closely, the malware files seem to have been removed or are no longer present online.” The user then inadvertently executes the malware when clicking on the shortcut, not the actual program.

The blog continues, “Once executed, the malware first drops WpmPrvSE.exe (detected as TROJ_DLOADER.COGBA) in system32 or SysWoW64, depending on the Windows version, then starts a service called WPM Provider Host. Looking at this service’s properties shows that it has the description of “WPM Provider Host – System-mode WPM Provider Framework Host Process.” It also drops rar.exe and a registration key in System32 or SysWoW64 for later use. Finally, it recovers the previously replaced shortcut files in the desktop and quick launches to cover its tracks.”

How the malicious service works is also explained in detail. SC Media reports based on Loseway Lu’s blog post, explain “…the WPM Provider Host service drops the final payloads by repeatedly downloading a RAR archive from Google Drive and GitHub, then using WinRAR to open the archive and extract an installer file, along with various configuration files and tools, that when assembled together allow for greater functionality. The installer also decodes a dropped registration key for Ammyy Admin, which the attackers can use to access infected systems.

The report goes on to say, “…the installer also commences another service, WSVCHost, which actually runs Ammyy Admin and uses the crash dump utility program procdump to remove WSVCHost-related processes from memory. Ultimately, these dump files are compressed and sorted into two files, which are then ‘sent back to the malware actor as attachments with some system information and execution logs via SMTP.'”

After analyzing the dump files, researchers have found contents like router IP addresses and an Ammyy Admin ID. The remainder of the content in the dump file seems to be pretty useless which suggests the inference is really just attackers looking to gather additional information.

Loseway Lu says, “During our analysis, we also noticed how some downloaded files were changed and updated, which indicates that the author is still developing the malware. The malware might still be in the PoC stage and will have further versions.”