What Is MOUSEISLAND?
MOUSEISLAND is a family of first-stage malware that leverages Microsoft Visual Basic for Applications (VBA) macros embedded in Microsoft Office documents to gain initial access to a target's system. Once opened, Office documents trojanized with a MOUSEISLAND payload download second-stage malware such as PHOTOLOADER or IcedID, allowing attackers to control the infected system remotely.
First observed in 2019, MOUSEISLAND malware is relatively new. Still, it is not expected to remain effective for long since Microsoft announced that VBA macros would be turned off by default in all Office applications as of July 27, 2022. Although its lifespan may be short-lived, MOUSEISLAND has been rated as one of the top malware strains of 2021, according to the US Government's Cybersecurity Infrastructure and Security Agency (CISA).
MOUSEISLAND is usually delivered to targets via phishing emails as a password-protected .zip attachment to avoid detection by malware scanners. However, MOUSEISLAND can be delivered via other vectors, such as USB key drops or fake social media posts.
MOUSEISLAND is not associated with a well-known large-scale malware group but has been observed to work in cooperation with larger cybercrime groups such as TrickBot and Shathak.
What MOUSEISLAND Works
MOUSEISLAND works as a trojanized Microsoft Office document and falls under the classification of first-stage malware: it helps attackers gain initial access to a system so they can download second-stage malware to achieve secondary goals, such as stealing sensitive files, installing ransomware, or conducting denial-of-service attacks.
A typical MOUSEISLAND attack follows the following process:
- A trojanized MS Word document is delivered via a password-protected .zip file to avoid detection from malware scanners
- The victim opens the document using the attacker-supplied password, which executes a VBA macro, downloading and executing a secondary payload
- Second-stage malware is downloaded, furthering the compromise by installing a remote access shell for attackers to execute commands on the exploited system
Signs of a MOUSEISLAND Attack
Because MOUSEISLAND can be detected by security products that scan email and downloads for malware, attackers attempt to deliver it in an encrypted format, such as a password-protected .zip file, so that the file's contents cannot be scanned. Most email service providers will display a notification warning of an encrypted attachment, alerting target users of a potential attack.
Another sign of a MOUSEISLAND attack is the warning message presented by Microsoft Office applications when opening a document that contains a VBA macro. User action is required to allow a VBA macro to execute; this warning message indicates that the document may contain malware.
How to Prevent a MOUSEISLAND Attack
Beginning July 27, 2022, Microsoft has disabled VBA macros for Office applications by default, so MOUSEISLAND payloads will be unable to execute on updated Microsoft systems—unless Office applications are explicitly reconfigured to allow VBA macros. However, for legacy systems or those that do not receive updates, protection options include the following:
- Ensure Office applications are configured with Disable all macros without notification or Disable all except digitally signed macros settings
- Install and configure endpoint security products that will scan encrypted documents immediately after they are unencrypted
- Pay special attention to warning notifications in email clients and Office applications
- Recognize the increased risk that encrypted files present and verify the context of such documents thoroughly before opening them
- Consider user awareness training to educate personnel about phishing techniques and develop standard operating procedures (SOP) for handling suspicious emails and documents