MS Office Build-In-Feature: Can be used for replicating malware

[German]Microsoft Office Build-In features have a vulnerability that allows malware to spread. Microsoft doesn't see any vulnerability – but now a' qkG Ransomware' seems to have emerged that uses exactly this technique.


Advertising

Security researcher from Trend Micro came across a samples of a file-encoding ransomware variant implemented entirely in VBA macros called qkG (detected by Trend Micro as RANSOM_CRYPTOQKG.A). It's a classic macro malware infecting Microsoft Word's Normal template (normal.dot template) upon which all new, blank Word documents are based.

The first samples has been uploaded to Virus Total on November 12, 2017. While the rist samples doesn't have had a Bitcoin address, newer samples observed 2 days later came with such addresses and a routine that encrypts a document on a specific day and time.

qkG is a classic macro malware that infects the standard document template (normal.dot) used by Microsoft Word. If the user creates a new, empty Word document, it is based by default on the normal. dot. In other words: All new empty Word documents are infected with the malware (replicated).

Trend Micro has documented the whole case within this blog post. The Hacker News has been writing also about this malware.


Advertising

This entry was posted in Office, Security and tagged , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

Note: Please note the rules for commenting on the blog (first comments and linked posts end up in moderation, I release them every few hours, I rigorously delete SEO posts/SPAM).