Malicious Office documents circulate
In recent weeks, the Reporting and Analysis Center for Information Assurance has received a large number of reports about malicious Microsoft Office documents that are distributed via email and aim to infect the victim's computer with malware. The federal agency therefore explicitly warns against opening such Office documents.
The number of spam campaigns spreading malicious Microsoft Office documents (recognizable by the file extensions .doc, .docx, .xls, .xlsx, .ppt and .pptx) has increased rapidly in recent weeks. Almost daily, the Reporting and Analysis Center for Information Assurance (Melani) observes such spam campaigns, which have the goal of infecting citizens' computers with malware. The malware that is spread via this attack vector is usually Locky (ransomware) or Dridex (eBanking Trojan). While Locky malware encrypts files on the victim's computer and then extorts the victims, Dridex targets the eBanking accounts of Swiss Internet users. Currently, customers of several Swiss banks are targeted by Dridex.
To infect the victim's computer, the attackers use macros. For security reasons, Microsoft has disabled the execution of unsigned macros by default. The attackers therefore use social engineering to try to convince the recipient of the email to enable the execution of macros (see image above). If the macros are activated, they automatically download malicious code from the Internet and infect the computer with malware.
For companies recommends Melani following measures:
- Use a collective signature for the authorization of payments via eBanking (each payment must thus be approved by two different eBanking contracts or logins, which massively reduces the risk of a fraudulent payment). Talk to your bank about the use of collective contracts.
- Use a dedicated computer for eBanking, which you use exclusively for eBanking (no surfing, reading emails, etc.).
- Make sure that potentially harmful email attachments are already blocked or filtered on your email gateway or spam filter. Dangerous email attachments use the following file extensions, among others:
.js (JavaScript)
.jar (Java)
.bat (batch file)
.exe (Windows executable)
.cpl (Control Panel)
.scr (screensaver)
.com (COM file)
.pif (Program Information File)
.vbs (Visual Basic Script)
.ps1 (Windows PowerShell)
- Make sure that such dangerous email attachments are blocked even if they are sent to recipients in your organization in archive files such as ZIP, RAR or even encrypted archive files (e.g. in a password-protected ZIP).
- Additionally, all email attachments that contain macros (e.g. Word, Excel or PowerPoint attachments that contain macros) should be blocked.
Source: MELANI
