Macro enabled Office documents are a useful tool for automating advanced calculations in document files but they have a long history of abuse as well. They are easy to spot as documents containing embedded Visual Basic for Applications (VBA) code have a ‘m’ at the end of the filename, e.g .xlsm or .docm. When opening these files Microsoft Office asks if you would like to enable the embedded macros, and for good reason. They can be used to run malicious code on a target system or infect the computer with malware.
Researchers at Checkpoint recently uncovered a new malicious document campaign targeting government finance entities and several embassies in Europe. If these documents are opened with macros enabled they drop multiple malicious AutoHotKey scripts onto the target system and begin communicating with command and control servers to exfiltrate data. Specifically the document drops 4 files, the AutoHotKey program itself and 3 scripts used to gather information or take control of the computer. ‘htv.ahk’ is the most dangerous of the 3 scripts dropped, it grabs a malicious version of Teamviewer, executes it, and then sends login credentials to the attackers server.
The malicious version of Teamviewer has a few interesting modifications. First it completely hides the running instance so that the attacker can take control without the user receiving any notifications the way that the standard version would provide. It also allows for the transfer and execution of additional .exe and .dll files onto the target machine. The standard version of Teamviewer only supports transferring files; execution would be done through the Windows GUI. Later versions of the malicious Teamviewer application also provide a more traditional command and control mechanism via text based commands. This interface allows the attacker to do much more including searching for files or download and execution of files from an external webserver.
Checkpoint acknowledges that in most cases it is difficult to provide attribution for attacks such as these. In this case however they were able to find posts on a clearnet hacking forum with code samples identical to the ones used in the campaign. Beyond the identical code samples the user ‘EvaPicks’ was also talking about techniques used in the campaign.
Most high end firewalls will inspect macro enabled document files with extra scrutiny because of attacks like this. AutoHotKey is also frequently detected as malicious software by anti virus programs despite its legitimate use in task automation. Regardless end users must remain vigilant when opening files from unknown sources in order to protect sensitive information and equipment.