McAfee Labs has discovered a new deceptive technique that developers of the Word macro Trojan known as W97M/Downloader are using to avoid detection.
According to an Intel Security/McAfee blog post, researchers found a variant of W97M/Downloader that builds off the already established tactic of hiding itself in Microsoft Office XML documents that contain compressed MSA Active Mime objects, which in turn extract encrypted OLE objects that automatically execute the malicious macro code.
The new variant adds two brand new layers of trickery. First, the “malicious XML document is now hidden in a multipart MIME object distributed as .RTF or .DOC files that arrive via phishing or spam emails,” the blog post explains. Secondly, the code that downloads and executes the final malware payload is not actually located in the macro, but rather in a very small (and thus difficult to spot) TextBox 1 object embedded in a form object. This final payload is a form of Dridex banking malware, which steals users' online banking credentials. Microsoft Office users can help protect themselves by disabling macros, McAfee advises.