Email Attack Uses Macros to Hijack Desktop Shortcuts

The deployment of malware via malicious Word documents is nothing new, although the tactics used by cybercriminals often change. Now a new method of malware deployment has been uncovered, in which users are fooled into downloading the malicious payload.

The attack starts like many other email-based attacks. The user must open an email and attachment and enable macros. The macro then searches for common desktop shortcuts such as Google Chrome or Skype. A corresponding malicious file is then downloaded to the appropriate location from GitHub or Google Drive. That file has a suitably benign name such as chrome_update.exe, and the path of the shortcut is changed.

The malware will then be executed when the user eventually double clicks on the malicious desktop shortcut. Once that happens, the desktop shortcut will be changed back to its original target, so that the next time the user double clicks, the shortcut will launch the correct program.

Once the shortcut has been clicked the end user will likely be unaware that a backdoor has been installed. The malware creates a Windows service named WPM Provider Host, which runs in the background and downloads files onto the infected computer. According to Trend Micro, which identified this new campaign, additional files downloaded to the device include legitimate tools such as WinRAR.

The malware then downloads RAR archives to the computer, which are unpacked using the downloaded WinRAR program. These downloads are set to occur every hour until all required files have been downloaded. The installer files are run by the WPM Provider Host service. The Ammyy Admin remote administration tool is also installed, giving the attacker remote access to the infected system.

Information is collected from the infected system through dump files, which are compressed and exfiltrated via SMPT by connecting to the mail servers and 

Based on the information collected, and the fact that some of the dump files created by the malware were changed and updated, Trend Micro suspects that the malware is in the early stages of development and further versions will be released at a later date.

Threat actors are constantly changing the tactics they use to download malicious files and steal sensitive information, as this unusual method of attack shows. At this stage, there have been few victims and the campaign appears to have a limited distribution, so far targeting users in Russia, although that could well change.

Macros are disabled by default in Microsoft Office, so this attack method requires an end user to enable macros before the malicious payload is downloaded and installed.  Aside from an advanced spam filtering solution to block malicious emails, one of the most effective ways of preventing the installation of malware is through security awareness training. Employees should be instructed to exercise caution when opening emails from unknown individuals, and never to enable macros in documents sent via email.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of