Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?


Malware & Threats

Macro Malware Has Returned: Intel Security

Macro malware, one of the most successful threats in the 1990s, has returned to focus in the form of persistent threats targeting organizations, Intel Security (formerly McAfee Labs) reports.

Macro malware, one of the most successful threats in the 1990s, has returned to focus in the form of persistent threats targeting organizations, Intel Security (formerly McAfee Labs) reports.

Infecting machines through compromised Microsoft Word documents that spread through extensive spam email campaigns, malicious web pages, and drive-by downloads, macro malware has seen a great increase over the past few quarters, the McAfee Labs Threats Report: November 2015 reveals.

Back in the 1990s, the most successful threats in this category were Melissa and WM.Concept, targeted at the highly popular Microsoft Word application, despite the fact that other applications also use macros. At the time, Microsoft Office by default executed macros right from the start, but the tech giant has since disabled them and macros cannot run without the user’s permission. However, many organizations are still using macros, which leaves the door open to infections.

With macro malware becoming popular once again, cybercriminals changed the distribution mechanism to ensure detection is more challenging. While previous campaigns lasted for days or weeks, perpetrators now engage into short lived campaigns, and also change the subject of emails and the carefully crafted attachments to ensure they are not detected and blocked.

What’s more, the compromised files delivered as attachments often behave normally even after performing the malicious activity, which makes infections even more difficult to detect. The bad actors behind macro malware use this entry point to deploy even more malicious applications to the victim’s system, which usually results in more damage being dealt.

Perpetrators use various social engineering techniques to lure users into opening the email and downloading the offending attachment, by creating subject lines such as payment request, important notice, courier notification, resumes, sales invoice, and the like. As soon as the unsuspected user downloads attachment, Microsoft Word asks whether macros should be enabled, and the malware executes as soon as the user enables the option.

After executing the macros, the malware drops PowerShell files on the compromised computer, depending upon the malware family it is part of: Bartallex, Dridex, Donoff, or another downloader. These droppers download further malware, including Upatre, Vawtrak, Chanitor, or Zbot, as well as point of sale threats and ransomware.

Advertisement. Scroll to continue reading.

There are also cases where the malware can be executed even if the user does not enable macros, such as the case of Dridex, which may come in the form of an XML document (.xml or .doc) containing an embedded Base64-encrypted Office object that is executed when the document is opened. A second variant comes as a Word or Excel file containing an Office Active Object that executes the malicious code in the OLE file as native OLE code.

Cybercriminals present the document with an Active Object embedded, and the unsuspecting user might open the malicious object by ignoring the warning and double-clicking it. Just as in other instances, the downloader code runs by executing a PowerShell instance. The Dridex loader is then downloaded and executed, followed by the Dridex DLL, which is injected into explorer.exe, and the malware installs itself onto the compromised system.

According to the report, cybercriminals are also using a variety of code obfuscation techniques to avoid detection and to hide the file’s malicious intent. Junk code is one of these techniques, involving the repeated insertion of lines of code such as functions ranging from character conversion like Chr() and ChrW() to complex customized encryption.

Intel researchers also note that today’s malicious macros have evolved significantly and are more efficient and flexible with the use of features such as PowerShell. They also note that macros look appealing to malware authors as they offer simplicity, ease of coding, and other capabilities for attacking victims and further spreading malware.

To stay protected, users should not enable macros when viewing a document, and they should also avoid opening emails and attachments that come from unknown or untrusted sources. Enterprises should educate users on the matter, should carefully consider the required safety level of each application, and should also configure email services and virus scanners to filter email traffic for attachments that contain macros.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

A vulnerability affecting IBM’s Aspera Faspex file transfer solution, tracked as CVE-2022-47986, has been exploited in attacks.


The recent ransomware attack targeting Rackspace was conducted by a cybercrime group named Play using a new exploitation method, the cloud company revealed this...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...