A macro-based malware was recently found to be replacing shortcuts with a program that sends the attacker dump-files from the system, according to cybersecurity and defense company Trend Micro.
The “unusual behavior” of the malware led Trend Micro’s researchers to believe that the malware is still under development. The researchers believe that it is likely not widespread and has only infected a few victims.
“However, it is important to be aware of this malware and method of attack,” the researchers said in a blog post Tuesday. “As newer and improved versions may be in the works.”
Once activated, the malware runs through a process that downloads and installs “common” Windows tools, WinRAR, and Ammyy Admin, a remote desktop software.
The Ammyy tool is set to allow a specific Ammy Admin ID, which is “most likely the malware actor’s” to have complete access to the system. It also, for reasons that researchers couldn’t explain, forces all Ammyy processes to stop after setting up the ID, which is “counter-productive” to the attack.
The program sends the attacker back information from the host system, though the contents of that information, apart from the Ammyy ID, seemed “to have no immediate use.”
The “infection chain” for this malware starts with a document with a picture of a house and Russian writing that instructs the user to activate macros to read the full document. Macros are disabled on Microsoft devices by default for safety purposes. Once activated, macros can give way to “potentially malicious code.”
This malware, for instance, uses macros to “search for shortcut files on the user’s desktop to replace” with its own files. The malware targets five shortcuts: Skype, Google Chrome, Mozilla Firefox, Opera, and Internet Explorer.
Trend Micro recommends that users protect themselves from malware like this by avoiding “downloading and enabling macro for documents from new or unknown sources.”