What’s old is new again.
In a follow-up to a report earlier this year on the reappearance of visual basic code in malicious documents, researchers at Sophos have found that the trend has not only continued – it’s increased.
According to new research, Sophos’ most recent detection statistics show that the percentage of macro-based malware rose from around six percent of all document malware in June to 28 percent in July.
Visual Basic code offers attackers some benefits, Graham Chantry, senior security researcher at SophosLabs, noted in his report.
“Few users run without any anti-virus software these days meaning malware families are forced to change form continuously in an effort to evade detection,” he wrote. “An exploit’s file structure is usually quite rigid which makes tweaking it without breaking its functionality difficult. Visual Basic code is easy to write, flexible and easy to refactor. Similar functionality can often be expressed in many different ways which gives malware authors more options for producing distinct, workable versions of their software than they have with exploits.”
While exploits are tied to specific versions of Microsoft Office, visual basic code isn’t – meaning the attacker does not have to hope the users is running a particular iteration of the software.
About 15 years ago, VBA (Visual Basic for Applications) macro malware like the ILOVEYOU worm and the Melissa virus were raising eyebrows around the world. Their use died down in the ensuing years. But attackers have begun using them again in recent months.
Attackers have taken to using social engineering techniques to trick users into enabling macros. A common tactic, Chantry noted in his report, is claiming that a document’s content is obfuscated for security reasons or that it requires different software to open correctly. In another example, a malicious document claiming to be protected by ‘SOPHOS Encryption’ software and needed to have macros enabled.
“One of the most interesting things I found during research for this paper was the surge in sophisticated social engineering methods,” Chantry told SecurityWeek.
“Document-based malware is commonly circulated in spam where the attached document is often inconsistent with the email content,” he added. “For example an email claiming to be concerned with a court appearance with an attachment claiming to be an invoice. Utilizing encryption means spammers can make use of the same…trick in multiple spam campaigns regardless of context. Masquerading as an AV vendor only serves to make the document appear more genuine and lures the user into a false sense of security that the document is probably not malicious.”
