Macro Malware Has Returned: Intel Security

Macro malware, one of the most successful threats in the 1990s, has returned to focus in the form of persistent threats targeting organizations, Intel Security (formerly McAfee Labs) reports.

Infecting machines through compromised Microsoft Word documents that spread through extensive spam email campaigns, malicious web pages, and drive-by downloads, macro malware has seen a great increase over the past few quarters, the McAfee Labs Threats Report: November 2015 reveals.

Back in the 1990s, the most successful threats in this category were Melissa and WM.Concept, targeted at the highly popular Microsoft Word application, despite the fact that other applications also use macros. At the time, Microsoft Office by default executed macros right from the start, but the tech giant has since disabled them and macros cannot run without the user’s permission. However, many organizations are still using macros, which leaves the door open to infections.

With macro malware becoming popular once again, cybercriminals changed the distribution mechanism to ensure detection is more challenging. While previous campaigns lasted for days or weeks, perpetrators now engage into short lived campaigns, and also change the subject of emails and the carefully crafted attachments to ensure they are not detected and blocked.

What’s more, the compromised files delivered as attachments often behave normally even after performing the malicious activity, which makes infections even more difficult to detect. The bad actors behind macro malware use this entry point to deploy even more malicious applications to the victim’s system, which usually results in more damage being dealt.

Perpetrators use various social engineering techniques to lure users into opening the email and downloading the offending attachment, by creating subject lines such as payment request, important notice, courier notification, resumes, sales invoice, and the like. As soon as the unsuspected user downloads attachment, Microsoft Word asks whether macros should be enabled, and the malware executes as soon as the user enables the option.

After executing the macros, the malware drops PowerShell files on the compromised computer, depending upon the malware family it is part of: Bartallex, Dridex, Donoff, or another downloader. These droppers download further malware, including Upatre, Vawtrak, Chanitor, or Zbot, as well as point of sale threats and ransomware.

There are also cases where the malware can be executed even if the user does not enable macros, such as the case of Dridex, which may come in the form of an XML document (.xml or .doc) containing an embedded Base64-encrypted Office object that is executed when the document is opened. A second variant comes as a Word or Excel file containing an Office Active Object that executes the malicious code in the OLE file as native OLE code.

Cybercriminals present the document with an Active Object embedded, and the unsuspecting user might open the malicious object by ignoring the warning and double-clicking it. Just as in other instances, the downloader code runs by executing a PowerShell instance. The Dridex loader is then downloaded and executed, followed by the Dridex DLL, which is injected into explorer.exe, and the malware installs itself onto the compromised system.

According to the report, cybercriminals are also using a variety of code obfuscation techniques to avoid detection and to hide the file’s malicious intent. Junk code is one of these techniques, involving the repeated insertion of lines of code such as functions ranging from character conversion like Chr() and ChrW() to complex customized encryption.

Intel researchers also note that today’s malicious macros have evolved significantly and are more efficient and flexible with the use of features such as PowerShell. They also note that macros look appealing to malware authors as they offer simplicity, ease of coding, and other capabilities for attacking victims and further spreading malware.

To stay protected, users should not enable macros when viewing a document, and they should also avoid opening emails and attachments that come from unknown or untrusted sources. Enterprises should educate users on the matter, should carefully consider the required safety level of each application, and should also configure email services and virus scanners to filter email traffic for attachments that contain macros.