We recently had a spate of emails arrive at work, some claiming to be from RBS and some from Santander.
My curiosity got the better of me, so I saved the attached Word document, brought it home, and studied it on a Linux machine.
It turned out to be rather easy to pull apart, but rather difficult to piece together and understand.
I was able to open the file in LibreOffice and study the VBA code.
The expected sequence (from the point of view of the fraudster) is probably something like this:-
1. Email arrives with attached Word document on a Windows computer.
2. The user opens the doc file, but it may require the user to enable macros (VBA) to see contents.
3. Once enabled, VBA runs which:-
- locates user path (e.g. c:\users\steve\AppData\Local\Temp\)
- downloads text from a web location
- creates and edits a Batch file and a VB Script file in users temp folder
- creates an ADO data stream
- extracts data (possibly anything the user has permissions to access)
- cleans up (deletes batch & vbs file)
- ...and appears to delete the ActiveDocument, which I assume is the attached Word document containing the VBA code.
The VBA code is written in a way (presumably) to make it difficult to understand what is happening. So an anti-virus program may not detect any dubious text.
|Extract from the main VBA routine (my comments/notes are in blue)|
The VBA code includes many function spread over 3 modules. It uses a mixture of text, ascii codes and maths functions (to generate numbers to turn into characters) in order to create strings for commands & URLs.
Its a pity...
I have to work in the Windows world, but I'm glad I run Linux at home, as it still has many security benefits. My Lubuntu laptop does not run VB script or VBA, and my Firefox browser blocks scripts by default.
I'm not so sure about my Android phone though. Is it giving all my secrets away?
Whoever created this code is obviously quite bright. Its just a pity that they don't put their skills to better use!