Microsoft Warns Users of New Malware Attack via a Disguised Excel Attachment

The new campaign uses malicious macro functions in an Excel attachment to attack Windows PCs.

Microsoft Warns Users of New Malware Attack via a Disguised Excel Attachment

Photo Credit: Twitter/ Microsoft Security Intelligence

Microsoft has warned users of a new malware campaign

  • The new malware campaign kicks off with an email and an attachment
  • A malicious file is installed, delivering the FlawedAmmyyy malware
  • The malware campaign is targeted towards Korean users

Microsoft is drawing attention to a new malware attack that infects Windows systems using its own Office software's macro functions. A new malware campaign is doing the rounds and it essentially employs a complex infection chain to download and run the notorious FlawedAmmyy RAT malware directly in memory. The attack starts with an email and .xls attachment with content in the Korean language, indicating that it is primarily targeting Korean users. It uses malicious macro functions in an Excel attachment to attack Windows PCs.

According to security firm Proofpoint, the malicious campaign has been started by a group called TA505. They have been responsible for similar attacks in the past, the security firm says, and this particular latest trick involves a malicious email and an Excel attachment that Microsoft warns users from opening.

"When opened, the .xls file automatically runs a macro function that runs msiexec.exe, which in turn downloads an MSI archive. The MSI archive contains a digitally signed executable that is extracted and run[s], and that decrypts and runs another executable in memory," Microsoft notes in its series of tweets.

A file called wsus.exe is then downloaded and decrypted, and it is intelligently designed to pass off as the official Microsoft Windows Service Update Service (WSUS). It is digitally signed on June 19, and decrypts the payload in RAM, delivering the FlawedAmmyy payload.

Microsoft says that its Threat Protection defends customers from this attack. “Cloud-based machine learning protections in Microsoft Defender ATP blocked all of the components of this attack at first sight, including the FlawedAmmyy RAT payload. Office 365 ATP detects the email campaign,” the company notes.


For the latest tech news and reviews, follow Gadgets 360 on Twitter, Facebook, and Google News. For the latest videos on gadgets and tech, subscribe to our YouTube channel.

Further reading: Microsoft, FlawedAmmyy, Windows
Tasneem Akolawala is a Senior Reporter for Gadgets 360. Her reporting expertise encompasses smartphones, wearables, apps, social media, and the overall tech industry. She reports out of Mumbai, and also writes about the ups and downs in the Indian telecom sector. Tasneem can be reached on Twitter at @MuteRiot, and leads, tips, and releases can be sent to More
Alphabet's Sidewalk Labs Releases Toronto Smart City Master Plan Details: What You Should Know
Russian, North American Astronauts Return to Earth

Related Stories

Share on Facebook Tweet Snapchat Share Reddit Comment



© Copyright Red Pixels Ventures Limited 2021. All rights reserved.
Listen to the latest songs, only on