2 min

Tags in this article

, , ,

Microsoft warns of a malware that uses Office features to compromise Windows systems. The malware does not take advantage of a bug in the software, but uses malicious macro features in an Excel attachment to compromise fully patched Windows PCs.

According to Microsoft’s Security Intelligence team, a group called TA505 is behind the attacks, according to ZDNet. The group often uses Microsoft appendices and social engineering to compromise victims’ systems. The attack starts with an email and .xls attachment (Excel). Microsoft therefore warns addressees not to open them.

When opened, the .xls file automatically performs a macro function that performs msiexec.exe, which in turn downloads an MSI archive. The MSI archive contains a digitally signed executable file that is unpacked and executed and that decrypts and executes another executable in memory, according to Microsoft.


According to Microsoft’s Security Intelligence team, the malware uses a complex infection chain to download and run the infamous remote access trojan (RAT) FlawedAmmyy directly into memory. FlawedAmmyy is often used to attack companies in the financial and retail sectors.

The technique behind the malware to run it in memory ensures that it is not detected by an antivirus. This program normally only scans files on the hard disk. The malicious executable file then downloads and decodes a file named wsus.exe, specifically designed to be passed as the official Microsoft Windows Service Update Service (WSUS). The executable file was digitally signed on 19 June. It decrypts the payload in RAM, thus delivering the FlawedAmmyy-payload.

Earlier this month, Microsoft warned that attackers were firing spam to exploit a bug in Office to install a trojan. As a result, the attackers did not need the intervention of users to switch on macros.


The Korean-language and sign appendix suggests that the attack is aimed primarily at Korean-speaking Windows users. Meanwhile, Microsoft has invested in its security infrastructure to improve its own built-in antivirus. The software giant states that users of Microsoft Threat Protection are protected against this attack.

In addition, Defender ATP’s machine learning systems blocked all components of this attack, including the FlawedAmmyy RAT payload. Business users of Office 365 ATP can assume that the Office 365 security tools detect spam.

This news article was automatically translated from Dutch to give Techzine.eu a head start. All news articles after September 1, 2019 are written in native English and NOT translated. All our background stories are written in native English as well. For more information read our launch article.