Partner Perspectives  Connecting marketers to our tech communities.
12/15/2015
02:30 PM
Vincent Weafer
Vincent Weafer
Partner Perspectives
50%
50%

Macro Malware Is Back

Social engineering drives macro malware levels to six-year highs.

“Warning: This document contains macros.” A familiar message from the 1990s is back, as attackers find new ways to get people to open documents containing macro malware. This updated threat is targeted at users in large organizations that frequently use macros. Carefully crafted and socially engineered emails entice users to open seemingly legitimate documents and then enable the macro. According to the latest McAfee Labs Threats Report, incidents of malicious macros have increased by a factor of four in the last year.

The most popular macro malware targets are Microsoft Office documents, especially Word files. Word allows macros to run automatically, for example when a user opens a document, closes it, or creates a new one. These commands are commonly used by both legitimate and malicious macros.

The path to a broad-based system infection through macro malware typically starts with an email attachment made to appear like something legitimate, often socially engineered to fit the targeted user. Common subject lines include phrases such as payment request, courier notification, resume, sales invoice, or donation confirmation. The text of the email matches the subject line with enough information to get the attachment opened, including official-looking signatures and logos 

Once opened, the security features in Microsoft Office will warn users that the file contains macros and ask if they want to enable them. Some of these files have large text proclaiming that they are protected and that macros must be enabled to view them. If the user clicks “Enable,” the malicious code executes, dropping a malware downloader onto the system that will bring in the real malware payload, and then often deleting itself afterward. The malicious code can also be embedded in the document as an Active Object, which also generates warnings when clicked, but many users may not be familiar with the threat potential of these files.

One of the biggest changes to macro malware since the last big infestation is its current ability to hide, making it much more difficult to detect. Macro malware authors have adopted several techniques from other types of malware, including adding junk code and writing complex encrypted strings. Junk code is just that -- code that is never intended to execute but can be easily generated and frequently changed to defeat signature-detection algorithms and confuse threat researchers. More complicated is the use of multiple simple functions such as character conversion to hide the malicious URL from email gateways and malware keyword scanners.

The simplicity and ease of coding macros makes them accessible to a wide range of criminals with minimal tech skills. As a result, the potential reach and effectiveness of macro malware means that businesses should re-educate users about this threat. Furthermore, the operating system and applications should be kept up to date, and macro security settings on all Microsoft Office products should be set to high. Email applications should not automatically open attachments. Email gateways and virus scanners should also be configured to scan for and filter email attachments containing macros.

For more information on the recent outbreak of macro malware, please visit http://www.mcafee.com/November2015ThreatsReport.

 

Vincent Weafer is Senior Vice President of Intel Security, managing more than 350 researchers across 30 countries. He's also responsible for managing millions of sensors across the globe, all dedicated to protecting our customers from the latest cyber threats. Vincent's team ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
gsatpathy
50%
50%
gsatpathy,
User Rank: Apprentice
1/22/2016 | 4:34:54 AM
user training is the solution
An user training is the solution to such mawares. User need to know how to configure Email gateways and virus scanners to scan for and filter email attachments containing macros.
johnl929
50%
50%
johnl929,
User Rank: Apprentice
12/22/2015 | 1:45:56 AM
Re: 1990's
Hahaha Just what i was thinking!!  :)
RyanSepe
100%
0%
RyanSepe,
User Rank: Ninja
12/15/2015 | 3:41:36 PM
1990's
I was going to say the title reminds me of the prevalence in the 1990's but first line beat me to it.
Government Shutdown Brings Certificate Lapse Woes
Curtis Franklin Jr., Senior Editor at Dark Reading,  1/11/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: On the SS7 network, nobody knows you're a dog.
Current Issue
The Year in Security 2018
This Dark Reading Tech Digest explores the biggest news stories of 2018 that shaped the cybersecurity landscape.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-5740
PUBLISHED: 2019-01-16
"deny-answer-aliases" is a little-used feature intended to help recursive server operators protect end users against DNS rebinding attacks, a potential method of circumventing the security model used by client browsers. However, a defect in this feature makes it easy, when the feature is i...
CVE-2018-5741
PUBLISHED: 2019-01-16
To provide fine-grained controls over the ability to use Dynamic DNS (DDNS) to update records in a zone, BIND 9 provides a feature called update-policy. Various rules can be configured to limit the types of updates that can be performed by a client, depending on the key used when sending the update ...
CVE-2016-9778
PUBLISHED: 2019-01-16
An error in handling certain queries can cause an assertion failure when a server is using the nxdomain-redirect feature to cover a zone for which it is also providing authoritative service. A vulnerable server could be intentionally stopped by an attacker if it was using a configuration that met th...
CVE-2017-3135
PUBLISHED: 2019-01-16
Under some conditions when using both DNS64 and RPZ to rewrite query responses, query processing can resume in an inconsistent state leading to either an INSIST assertion failure or an attempt to read through a NULL pointer. Affects BIND 9.8.8, 9.9.3-S1 -> 9.9.9-S7, 9.9.3 -> 9.9.9-P5, 9.9.10b1...
CVE-2017-3136
PUBLISHED: 2019-01-16
A query with a specific set of characteristics could cause a server using DNS64 to encounter an assertion failure and terminate. An attacker could deliberately construct a query, enabling denial-of-service against a server if it was configured to use the DNS64 feature and other preconditions were me...