Microsoft’s Security Intelligence team warns of a new malware campaign that infects and compromises fully patched Windows PCs, and which spreads via malicious macro functions in an Excel attachment to activate “a complex infection chain to download and run the notorious FlawedAmmyy remote access trojan directly in memory.” Microsoft recommends disabling macros. A Virsec expert offers thoughts.
New attack wave with FlawedAmmyy RAT #ThreatoftheDay
A new wave of attacks is currently spreading through the Internet, aiming to bring the already known FlawedAmmyyy RAT remote access trojan to the victim's computer. The currentl…https://t.co/feGmZcK7Vo https://t.co/nOzNeBkhQy
— Thomas Tschersich (@Ttschersich) June 25, 2019
Satya Gupta, CTO and Co-founder at Virsec:
Excel macros have been associated with malware for a long time, but it’s still alarming for Microsoft to recommend disabling all macros – functions used routinely by millions of businesses. Microsoft needs to rethink its macro strategy as it has become an easy vehicle for malware to get into fully patched systems. Below the surface we also need a new approach to in-memory attacks that are being launched through these macros. However these threats get in the front door (and there’s almost always a way in…) once in memory these attacks are undetectable by most security products and leave few traces behind after an application is done executing.