English

Loads of Macro Malware ‘Invoice’ Emails Hitting Inboxes

Outline:
Inboxes are currently being hit by malicious  ‘invoice’ or ‘receipt’ emails with  attached Microsoft Word documents.



Brief Analysis:
The emails are designed to trick people into  enabling macros so that a malicious  macro can run and subsequently download and install malware. Be wary of any Microsoft Word or other  Microsoft Office email attachment that claims that you must enable macros  to view an invoice or receipt.    If your are unfamiliar with macros  and the potential dangers they pose, scroll down to the Detailed Analysis for more information.

Examples:

Subject:  Receipt – Order No 173535

[No content]

Attached:  Receipt – Order No 173535.docm

 

Subject: Scanned InvoiceDear [name removed] ,

Scanned Invoice in Microsoft Word format has been attached to this email.

Thank you!

[Name removed]
Sales Manager

Attached: SCAN_Invoice_[name removed].doc




Detailed Analysis:
A new wave of macro malware emails is currently hitting inboxes.  These emails are very short and to the point. Many of them have no content at all in the body of the email but feature a subject line that implies that you can view a receipt or invoice by opening an attached file. Other versions include a brief message that echoes  the suggestion in the subject line that the attachment contains a  receipt or invoice. The attachments are usually Microsoft Word documents, although some may be in other Microsoft Office formats such as Excel.

The criminals running these malware campaigns know that at least a few recipients will want to open the attachments out of  simple concern and curiosity. Recipients  may be worried that they have  been billed for items or services that they never bought.  The emails do not name the company that they were supposedly sent by, nor do they contain any information at all about the supposed  purchase. This lack of detail is a deliberate ploy designed to get people clicking on attachments in the hope of revealing the missing information.    And,  because the attachments are seemingly innocuous Microsoft Office documents, at least a few recipients may let their guard down and open them without due caution.

If  people do attempt  to open the  attachments, they will be prompted to enable macros supposedly so that the contents can be properly displayed. But, if they do enable macros as requested, a malicious macro will then be able to run. This macro can connect to a compromised website and download and install  malware of various  types.

For those that may not be aware, a macro is a set of commands and instructions that can be grouped  as a single command in order to quickly and automatically accomplish a task.

Macros  can be very helpful in some workflows and quite complex macros can be created. But, such complex macros can be created to perform evil  deeds as well as good. In years gone by, macro viruses were common computer security threats. But, for the last several years, they have been much less significant due to the fact that later versions of Microsoft Office disabled macros by default.

Alas, many users may have either  forgotten  about or have no  knowledge of  macro risks and may therefore  be inclined to enable macros if requested  to do so.

While macros can certainly be useful in some workflows, it is best to leave them disabled if you do not use them and and are unfamiliar  with their potential security  risks. And, do not believe any message that claims that you must enable macros  in order to view a simple document such as a billing invoice or receipt.




Last updated:  March 7, 2016
First published:    March 7, 2016
By Brett M. Christensen
About Hoax-Slayer

References
‘BP Fuel Card E-Bill’ Excel Macro Malware Email
Malware Threat Articles






Original Source : https://www.hoax-slayer.net/loads-of-macro-malware-invoice-emails-hitting-inboxes/