author photo
By SecureWorld News Team
Mon | Jun 24, 2019 | 4:04 PM PDT

If your organization has macros enabled, you may want to change that after a recent discovery by Microsoft's Security Intelligence Team.

A new attack starts with an Excel file that takes advantage of enabled macros to run an attack. Here is what Microsoft posted in a series of tweets:

"Anomaly detection helped us uncover a new campaign that employs a complex infection chain to download and run the notorious FlawedAmmyy RAT directly in memory. The attack starts with an email and .xls attachment with content in the Korean language.

When opened, the .xls file automatically runs a macro function that runs msiexec.exe, which in turn downloads an MSI archive. The MSI archive contains a digitally signed executable that is extracted and run, and that decrypts and runs another executable in memory.

This executable then downloads and decrypts another file, wsus.exe, which was also digitally signed on June 19. wsus.exe decrypts and runs the final payload directly in memory. The final payload is the remote access Trojan FlawedAmmyy."

Microsoft claims that Office 365 ATP detects the email campaign in its current form.