Malicious Macro Hijacks Windows Desktop Shortcuts [source: gbhackers]
by CIRT Team
Cybercriminals using a malicious macro that changes the target of Desktop Shortcuts to download malware and when the user clicks on the altered shortcut file, the malware executes.
With this new campaign, attackers used common tools like WinRAR, and Ammyy Admin to gather information instead of their own tools.
Security researchers from Trend Micro uncovered the new campaign, the malware and macro are not sophisticated and researchers believe that malware development was not yet completed.
Malicious Macro Infection Chain
The attack starts with a malicious word document that contains contents written in Russian with a house image and it instructs users to enable macro’s to get the full document.
Once the user enables macro it searches for the shortcut files in desktop and replace’s with the corresponding linked files. It primarily targets file shortcut files that include Skype, Google Chrome, Mozilla Firefox, Opera, and Internet Explorer.
If the user executes the shortcut from the desktop shortcut or Quick launch bar it executes the malware instead of the original file.
Once the malware triggered it drops WpmPrvSE.exe in system32 or SysWoW64 depending on the operating system type and it starts up a service called WPM Provider Host, which allow’s application on your computer to request system information.
Along with WpmPrvSE.exe it also drops a rar.exe, possibly for later use and then it recovers’s the shortcut files to its original state again.
Researchers say that “While the malware is working, the malicious service that the malware activated would already be downloading the final payloads. It downloads a RAR archive from Google Drive and GitHub.”
For more, click here.