A recent wave of spear-phishing campaigns leveraged weaponized Windows 11 Alpha-themed Word documents with Visual Basic macros to drop malicious payloads, including a JavaScript implant, against a point-of-sale (PoS) service located in the U.S.

Users clicked on the malicious document, which came bundled with an RTF file, to download and launch the Visual Basic Macro (VM) file. The VM was crafted to communicate with the remote server via the TCP channel. Upon connection, malware downloaded and executed an embedded JavaScript implant, which is currently being actively distributed through the web.

The implant first checks if the user’s machine has a VBScript-enabled browser (a Microsoft Internet Explorer (IE) version prior to version 11). If VBScript is detected, the implant will attempt to download and execute a malicious payload; if not, the implant directly executes the payload.

Besides taking several steps to try to impede analysis by populating the code with junk data, the VB script also checks if it is running under a virtualized environment such as VirtualBox and VMWare, and if so, terminates itself, in addition to stopping the infection chain upon detecting Russian, Ukrainian, or several other Eastern European languages. The malware uses an open-source code library to determine the current computer’s internal IP address.

This summer, Microsoft announced the next version of its Windows operating system, codenamed “Windows 11.” Microsoft has stated that it is considering Windows 11 as the last version of desktop Windows, meaning that it will not release another major upgrade after Windows 11.

One of the features that Microsoft promoted for this release was the return of the Start menu. The company’s press release states:

Windows 8 was built to take advantage of modern technology and designed to work with touchscreen devices. Windows 8.1 was about refining the experience and responding to customer feedback, with features like support for virtual desktops, expanded folders, better search, the Start button and more. With Windows 11, we’re looking ahead again to continue to modernize Windows and create a unique experience for our customers as they use their desktop PC, tablet, phone and other devices.

While this release will not be the last of Microsoft’s operating systems on traditional personal computers—the company will release future versions of its Xbox One operating system—it is likely that Windows 11 will be the last major upgrade released before Microsoft shifts its focus towards mobile-centric systems.

The VB script is a proof-of-concept malware test for this infection vector.

Technical Details:

This week, we received reports from our customers about Windows 11 themed documents designed to spread Visual Basic macros. Analysis of the document’s payload revealed that it was crafted to drop a malicious JavaScript implant. The logic in these documents is quite simple, but it highlights the potential threat posed by any document that conceals malicious content in random elements of the document or its title bar. The presence of Visual Basic macros within a document might also illustrate this threat’s ability to surpass file defenses enabled by many antivirus products when triggered by an unsuspecting user.

When the victim opens the document, they will receive a warning about “Macros have been disabled.” However, if they click on the enable content button the embedded macros will execute. This step triggers one of Microsoft’s documented implementation flaws in how it handles specially crafted files. Specifically, Microsoft treats the presence of a VBScript as a trigger to activate the malicious content.

However, with VBScript disabled by default in its most common browsers (including IE), this triggers another warning box. Users are likely to consider the message as part of an anti-malware process and might click past it. This leads to the next stage of the infection chain.

The Javascript implant is a very simple script, which is executed only when the victim’s browser is running Microsoft’s VBScript engine. The script attempts to determine the operating system, based on the computer’s IP address and executes standard Google Hacking Techniques. It then downloads a malicious payload from an attacker-controlled server. This step is used to evade detection by many existing solutions that are designed to detect threats that are downloaded from websites or pop-ups. It also bypasses another flaw in how Microsoft handles specially crafted documents: according to Microsoft, “When a user opens a specially crafted file, an error message may be presented notifying him of this fact. The information may also be logged.”

The current version of the malware, which is a modified version of a publicly available exploit code published by CanSecWest, dropped a different payload with slightly different behavior. The payload was custom-written for this sample to download and execute its own configuration file (named config.memory.html). The implant first attempts to download the malicious configuration file using the already existing mechanism; if this succeeds, it will take unspecified action.

Interested in reading more about how to defend against hackers manipulating widows? Best Antivirus for Windows PC discusses the best antivirus to use when using a computer running Windows 10.

Liquid Video Technologies Logo, zero trust, Security, Video Surveillance, Greenville South Carolina, cybersecurity, Windows 11

If you would like liquidvideotechnologies.com to discuss developing your Home Security System, Networking, Access ControlFire, IT consultant, or PCI Compliance, please do not hesitate to call us at 864-859-9848 or you can email us at deveren@liquidvideotechnologies.com.