Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Visual Basic Malware Continues Resurgence

What’s old is new again.

In a follow-up to a report earlier this year on the reappearance of visual basic code in malicious documents, researchers at Sophos have found that the trend has not only continued – it’s increased.

What’s old is new again.

In a follow-up to a report earlier this year on the reappearance of visual basic code in malicious documents, researchers at Sophos have found that the trend has not only continued – it’s increased.

According to new research, Sophos’ most recent detection statistics show that the percentage of macro-based malware rose from around six percent of all document malware in June to 28 percent in July.

Visual Basic code offers attackers some benefits, Graham Chantry, senior security researcher at SophosLabs, noted in his report.

“Few users run without any anti-virus software these days meaning malware families are forced to change form continuously in an effort to evade detection,” he wrote. “An exploit’s file structure is usually quite rigid which makes tweaking it without breaking its functionality difficult. Visual Basic code is easy to write, flexible and easy to refactor. Similar functionality can often be expressed in many different ways which gives malware authors more options for producing distinct, workable versions of their software than they have with exploits.”

While exploits are tied to specific versions of Microsoft Office, visual basic code isn’t – meaning the attacker does not have to hope the users is running a particular iteration of the software.

About 15 years ago, VBA (Visual Basic for Applications) macro malware like the ILOVEYOU worm and the Melissa virus were raising eyebrows around the world. Their use died down in the ensuing years. But attackers have begun using them again in recent months.

Attackers have taken to using social engineering techniques to trick users into enabling macros. A common tactic, Chantry noted in his report, is claiming that a document’s content is obfuscated for security reasons or that it requires different software to open correctly. In another example, a malicious document claiming to be protected by ‘SOPHOS Encryption’ software and needed to have macros enabled.

“One of the most interesting things I found during research for this paper was the surge in sophisticated social engineering methods,” Chantry told SecurityWeek.

“Document-based malware is commonly circulated in spam where the attached document is often inconsistent with the email content,” he added. “For example an email claiming to be concerned with a court appearance with an attachment claiming to be an invoice. Utilizing encryption means spammers can make use of the same…trick in multiple spam campaigns regardless of context. Masquerading as an AV vendor only serves to make the document appear more genuine and lures the user into a false sense of security that the document is probably not malicious.”

Written By

Click to comment

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Cybercrime

CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.

Cybercrime

Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Malware & Threats

Cybercrime in 2017 was a tumultuous year "full of twists and turns", with new (but old) infection methods, a major return to social engineering,...

Cyberwarfare

Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.

Malware & Threats

Norway‎-based DNV said a ransomware attack on its ship management software impacted 1,000 vessels.