Spam messages masquerading as credit card emails are using password-protected documents with malicious macros to infect users with Cerber ransomware.
The spam campaign begins by notifying email recipients of a large charge to their MasterCard. It then tells them they can avoid the charge by opening the attached password-protected Word document using a combination contained in the email. The email also incorporates social engineering techniques to personalize the subject line and attachment title with the victim’s name.
Microsoft security researchers admit that the use of a password-protected Word document is a unique but effective tactic for distributing spam. As they explain in a blog post:
“On the technical side, the use of a password-protected Word document allows the embedded macro code to avoid detection by many email scanners. Without password-protection, the macro code is easily detected by antimalware engines . (Microsoft detects the macro code in our samples as TrojanDownloader:O97M/Donoff.CU .) To an extent, password-protection also makes the attachment appear legitimate—many bank documents are typically transmitted as password-protected files.”
Once opened, the Word document displays in Protected View and leverages a convincing set of instructions by which the recipient can enable macros. Doing so causes the payload embedded in the document to execute and download Cerber, a type of ransomware which encrypts victims’ files and asks for a ransom payment in exchange for the decryption key.
Aside from the password-protected document, these fake emails constitute a classic spam campaign that uses malicious macros to download malware onto a recipient’s computer. Fortunately, users can protect themselves against this type of spam campaigns. They just need to know what to look out for.
That’s where organizations should step in. At the workplace, companies can instruct their employees on how they can keep an eye out for phishing attacks. They can do so via third-party security awareness training software.