For a long time, phishing attacks have been used by hackers, but some hackers also perform different phishing for different target users to obtain the best results.
For example, attacks using office software are usually targeted at enterprises and business people, and the macro functions in office software are more popular among hackers.
Microsoft Threat Intelligence Center found that hackers use Excel files to induce users to load macro files to execute malicious code and load more malware. The vast majority of attacks using office software are based on macros.
The cybercrime group, called TA505, targets retail companies and financial institutions. The purpose of the cybercrime group is to obtain direct economic income.
Under normal circumstances, TA505 will directly send spam and phishing emails to induce companies to click on links or download software, but they have recently changed their state.
The malicious samples intercepted by Microsoft Threat Intelligence Center show that TA505 is now trying to place malicious code in macros and then induce users to open and load macros.
When a user opens a phishing document, a hacked document protection prompt is directly displayed, which prompts the user to click the Enable Editing to view the content of the document.
If the user trusts click on the Enable Editing, the macro containing the malicious code will be executed immediately and contact the remote server to load the malware.
TA505 installs various malicious software on the victim’s computer, such as backdoors, Trojan downloaders, ransomware, keyloggers, and other software.