Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Partner Perspectives  Connecting marketers to our tech communities.
12/15/2015
02:30 PM
Vincent Weafer
Vincent Weafer
Partner Perspectives
50%
50%

Macro Malware Is Back

Social engineering drives macro malware levels to six-year highs.

“Warning: This document contains macros.” A familiar message from the 1990s is back, as attackers find new ways to get people to open documents containing macro malware. This updated threat is targeted at users in large organizations that frequently use macros. Carefully crafted and socially engineered emails entice users to open seemingly legitimate documents and then enable the macro. According to the latest McAfee Labs Threats Report, incidents of malicious macros have increased by a factor of four in the last year.

The most popular macro malware targets are Microsoft Office documents, especially Word files. Word allows macros to run automatically, for example when a user opens a document, closes it, or creates a new one. These commands are commonly used by both legitimate and malicious macros.

The path to a broad-based system infection through macro malware typically starts with an email attachment made to appear like something legitimate, often socially engineered to fit the targeted user. Common subject lines include phrases such as payment request, courier notification, resume, sales invoice, or donation confirmation. The text of the email matches the subject line with enough information to get the attachment opened, including official-looking signatures and logos 

Once opened, the security features in Microsoft Office will warn users that the file contains macros and ask if they want to enable them. Some of these files have large text proclaiming that they are protected and that macros must be enabled to view them. If the user clicks “Enable,” the malicious code executes, dropping a malware downloader onto the system that will bring in the real malware payload, and then often deleting itself afterward. The malicious code can also be embedded in the document as an Active Object, which also generates warnings when clicked, but many users may not be familiar with the threat potential of these files.

One of the biggest changes to macro malware since the last big infestation is its current ability to hide, making it much more difficult to detect. Macro malware authors have adopted several techniques from other types of malware, including adding junk code and writing complex encrypted strings. Junk code is just that -- code that is never intended to execute but can be easily generated and frequently changed to defeat signature-detection algorithms and confuse threat researchers. More complicated is the use of multiple simple functions such as character conversion to hide the malicious URL from email gateways and malware keyword scanners.

The simplicity and ease of coding macros makes them accessible to a wide range of criminals with minimal tech skills. As a result, the potential reach and effectiveness of macro malware means that businesses should re-educate users about this threat. Furthermore, the operating system and applications should be kept up to date, and macro security settings on all Microsoft Office products should be set to high. Email applications should not automatically open attachments. Email gateways and virus scanners should also be configured to scan for and filter email attachments containing macros.

For more information on the recent outbreak of macro malware, please visit http://www.mcafee.com/November2015ThreatsReport.

 

Vincent Weafer is Senior Vice President of Intel Security, managing more than 350 researchers across 30 countries. He's also responsible for managing millions of sensors across the globe, all dedicated to protecting our customers from the latest cyber threats. Vincent's team ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
gsatpathy
50%
50%
gsatpathy,
User Rank: Apprentice
1/22/2016 | 4:34:54 AM
user training is the solution
An user training is the solution to such mawares. User need to know how to configure Email gateways and virus scanners to scan for and filter email attachments containing macros.
johnl929
50%
50%
johnl929,
User Rank: Apprentice
12/22/2015 | 1:45:56 AM
Re: 1990's
Hahaha Just what i was thinking!!  :)
RyanSepe
100%
0%
RyanSepe,
User Rank: Ninja
12/15/2015 | 3:41:36 PM
1990's
I was going to say the title reminds me of the prevalence in the 1990's but first line beat me to it.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/27/2020
Modern Day Insider Threat: Network Bugs That Are Stealing Your Data
David Pearson, Principal Threat Researcher,  10/21/2020
Are You One COVID-19 Test Away From a Cybersecurity Disaster?
Alan Brill, Senior Managing Director, Cyber Risk Practice, Kroll,  10/21/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-27956
PUBLISHED: 2020-10-28
An Arbitrary File Upload in the Upload Image component in SourceCodester Car Rental Management System 1.0 allows the user to conduct remote code execution via admin/index.php?page=manage_car because .php files can be uploaded to admin/assets/uploads/ (under the web root).
CVE-2020-27957
PUBLISHED: 2020-10-28
The RandomGameUnit extension for MediaWiki through 1.35 was not properly escaping various title-related data. When certain varieties of games were created within MediaWiki, their names or titles could be manipulated to generate stored XSS within the RandomGameUnit extension.
CVE-2020-16140
PUBLISHED: 2020-10-27
The search functionality of the Greenmart theme 2.4.2 for WordPress is vulnerable to XSS.
CVE-2020-9982
PUBLISHED: 2020-10-27
This issue was addressed with improved checks to prevent unauthorized actions. This issue is fixed in Apple Music 3.4.0 for Android. A malicious application may be able to leak a user's credentials.
CVE-2020-3855
PUBLISHED: 2020-10-27
An access issue was addressed with improved access restrictions. This issue is fixed in macOS Catalina 10.15.3, Security Update 2020-001 Mojave, Security Update 2020-001 High Sierra. A malicious application may be able to overwrite arbitrary files.