We're so often flooded with news about novel attacks involving bespoke zero-day vulnerabilities or highly targeted campaigns operated by nation-states that it can be hard to remember not every cybercriminal is some kind of super genius. In fact, a significant percentage fall into the Wile E. Coyote category of "determined, but throws roadblocks in his own way, threat actor."
This past Friday, I received yet another example of what has to be one of the most elaborately complex, Rube Goldberg-esque malware installation process ever conceived. It's so ridiculously elaborate, I had to diagram it.
But to say that this method -- involving a Macro-enabled Microsoft Word document -- is overly complex, fraught with multiple opportunities for failure, and frankly pretty weird does not mean that the attack isn't effective.
To the contrary: The attack mechanism, when nudged along by a compliant victim (or a motivated security analyst), functions remarkably well, despite its questionable pedigree. I've been following this infection mechanism for several months. While bits and pieces have changed over time, the overall flow of the process has remained relatively static, which indicates to me that at least some victims are playing along right until the end. And the eventual payload, Trojan-Dyre, is not something to treat lightly. But the attack itself is so pointlessly complicated that it makes me question the sanity of its creator.