Macros-based Attack Deploys Malware by Hijacking Desktop Shortcuts

A new attack that uses documents with malicious macros modifies legitimate application shortcut files from the Windows desktop to trick users into executing a backdoor program.

The poisoned documents distributing this threat were observed recently by researchers from Trend Micro and contained Russian text. The first stage of the infection chain used the tried-and-tested macro technique, in which users are asked to enable the execution of scripts embedded in the document.

If macro execution is allowed, the malicious code downloads a backdoor program from Google Drive or GitHub, then scans the computer’s desktop for shortcuts of popular applications: Skype, Google Chrome, Mozilla Firefox, Opera and Internet Explorer. If these shortcuts are found, the script replaces their target links with the path to the newly downloaded malware program.

The downloaded backdoor program also tries to masquerade as one of those legitimate applications. For example, if the Google Chrome shortcut is found, the malware is downloaded to the following location: %AppData%Googlechrome_update.exe.

By changing the target of the shortcut files, the attackers ensure that users eventually will execute the downloaded backdoor manually when they attempt to open one of those popular applications. Moreover, after it’s executed, the malware will restore the shortcuts to their original functionality to avoid raising suspicion. This means that a subsequent attempt to open the applications through their desktop shortcuts will work as expected.

The malware will create a rogue Windows service called “WPM Provider Host” that will run in the background and download additional components. The secondary payloads are common tools that are not inherently malicious and include WinRAR and the Ammyy Admin remote administration tool.

The attackers use these tools to steal information from infected computers, which is encoded and sent to email accounts via the SMTP servers of and

“This malware, from the use of its macro to its installation, exhibits very unusual behavior and is likely still under development,” the Trend Micro researchers said in a blog post. “We believe that the malware is not widely spread and have had only a few victims so far. However, it is important to be aware of this malware and method of attack, as newer and improved versions may be in the works.”

Macros are disabled by default in recent versions of Microsoft Office and opening documents that contain such code will result in a warning message. However, the malicious documents will often contain text asking users to enable macro execution and, since this functionality is sometimes used legitimately in enterprise environments, some users might fall for the trick.

That’s why it’s recommended for users to never enable macros for documents received from untrusted sources and for administrators to enforce networkwide macro security policies.

Users Can Easily Check If VPNFilter Hijacks Their Traffic

Symantec has launched a free online scanner that allows users to easily check if their network traffic is being hijacked by the VPNFilter malware, which infected more than 500,000 routers from around the world.

VPNFilter is a sophisticated malware program that was likely developed by Russian state actor. It has exploits for more than 50 router models from different manufacturers and, unlike other router malware, it can survive reboots.

VPNFilter has the ability to manipulate users’ web traffic and uses a module called “ssler” to strip SSL from encrypted connections. In other words, whenever a client behind an infected router wants to access an HTTPS website, the ssler module will establish an encrypted connection with the website, but will serve an unencrypted version back to the client.

This proxy behavior is detectable by the remote web server because the security of the HTTPS connection is downgraded, since ssler does not have all of the TLS capabilities of a modern browser.

Symantec’s online VPNFilter checker is built around this idea, but the tool can only detect VPNFilter traffic manipulation if the ssler plug-in was actually deployed on the compromised router. This is not always the case and it doesn’t mean that the router is not infected with other VPNFilter components.

Users who believe their routers might be infected should reset their devices to factory settings—also known as a hard reset—to remove the malware. They should then update the device firmware in order to patch any known vulnerabilities before reconfiguring the device and connecting it back to the internet.

Lucian Constantin

Lucian Constantin

Lucian has been covering computer security and the hacker culture for almost a decade, his work appearing in many technology publications including PCWorld, Computerworld, Network World, CIO, CSO, Forbes and The Inquirer. He has a bachelor's degree in political science, but has been passionate about computers and cybersecurity from an early age. Before he chose a career in journalism, Lucian worked as a system and network administrator. He enjoys attending security conferences and delving into interesting research papers. You can reach him at [email protected] or @lconstantin on Twitter. For encrypted email, his PGP key's fingerprint is: 7A66 4901 5CDA 844E 8C6D 04D5 2BB4 6332 FC52 6D42

lucian-constantin has 298 posts and counting.See all posts by lucian-constantin