Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Partner Perspectives  Connecting marketers to our tech communities.
12/15/2015
02:30 PM
Vincent Weafer
Vincent Weafer
Partner Perspectives
50%
50%

Macro Malware Is Back

Social engineering drives macro malware levels to six-year highs.

“Warning: This document contains macros.” A familiar message from the 1990s is back, as attackers find new ways to get people to open documents containing macro malware. This updated threat is targeted at users in large organizations that frequently use macros. Carefully crafted and socially engineered emails entice users to open seemingly legitimate documents and then enable the macro. According to the latest McAfee Labs Threats Report, incidents of malicious macros have increased by a factor of four in the last year.

The most popular macro malware targets are Microsoft Office documents, especially Word files. Word allows macros to run automatically, for example when a user opens a document, closes it, or creates a new one. These commands are commonly used by both legitimate and malicious macros.

The path to a broad-based system infection through macro malware typically starts with an email attachment made to appear like something legitimate, often socially engineered to fit the targeted user. Common subject lines include phrases such as payment request, courier notification, resume, sales invoice, or donation confirmation. The text of the email matches the subject line with enough information to get the attachment opened, including official-looking signatures and logos 

Once opened, the security features in Microsoft Office will warn users that the file contains macros and ask if they want to enable them. Some of these files have large text proclaiming that they are protected and that macros must be enabled to view them. If the user clicks “Enable,” the malicious code executes, dropping a malware downloader onto the system that will bring in the real malware payload, and then often deleting itself afterward. The malicious code can also be embedded in the document as an Active Object, which also generates warnings when clicked, but many users may not be familiar with the threat potential of these files.

One of the biggest changes to macro malware since the last big infestation is its current ability to hide, making it much more difficult to detect. Macro malware authors have adopted several techniques from other types of malware, including adding junk code and writing complex encrypted strings. Junk code is just that -- code that is never intended to execute but can be easily generated and frequently changed to defeat signature-detection algorithms and confuse threat researchers. More complicated is the use of multiple simple functions such as character conversion to hide the malicious URL from email gateways and malware keyword scanners.

The simplicity and ease of coding macros makes them accessible to a wide range of criminals with minimal tech skills. As a result, the potential reach and effectiveness of macro malware means that businesses should re-educate users about this threat. Furthermore, the operating system and applications should be kept up to date, and macro security settings on all Microsoft Office products should be set to high. Email applications should not automatically open attachments. Email gateways and virus scanners should also be configured to scan for and filter email attachments containing macros.

For more information on the recent outbreak of macro malware, please visit http://www.mcafee.com/November2015ThreatsReport.

 

Vincent Weafer is Senior Vice President of Intel Security, managing more than 350 researchers across 30 countries. He's also responsible for managing millions of sensors across the globe, all dedicated to protecting our customers from the latest cyber threats. Vincent's team ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
RyanSepe
100%
0%
RyanSepe,
User Rank: Ninja
12/15/2015 | 3:41:36 PM
1990's
I was going to say the title reminds me of the prevalence in the 1990's but first line beat me to it.
johnl929
50%
50%
johnl929,
User Rank: Apprentice
12/22/2015 | 1:45:56 AM
Re: 1990's
Hahaha Just what i was thinking!!  :)
gsatpathy
50%
50%
gsatpathy,
User Rank: Apprentice
1/22/2016 | 4:34:54 AM
user training is the solution
An user training is the solution to such mawares. User need to know how to configure Email gateways and virus scanners to scan for and filter email attachments containing macros.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 6/5/2020
How AI and Automation Can Help Bridge the Cybersecurity Talent Gap
Peter Barker, Chief Product Officer at ForgeRock,  6/1/2020
Cybersecurity Spending Hits 'Temporary Pause' Amid Pandemic
Kelly Jackson Higgins, Executive Editor at Dark Reading,  6/2/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: What? IT said I needed virus protection!
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-13864
PUBLISHED: 2020-06-05
The Elementor Page Builder plugin before 2.9.9 for WordPress suffers from a stored XSS vulnerability. An author user can create posts that result in a stored XSS by using a crafted payload in custom links.
CVE-2020-13865
PUBLISHED: 2020-06-05
The Elementor Page Builder plugin before 2.9.9 for WordPress suffers from multiple stored XSS vulnerabilities. An author user can create posts that result in stored XSS vulnerabilities, by using a crafted link in the custom URL or by applying custom attributes.
CVE-2020-11696
PUBLISHED: 2020-06-05
In Combodo iTop a menu shortcut name can be exploited with a stored XSS payload. This is fixed in all iTop packages (community, essential, professional) in version 2.7.0 and iTop essential and iTop professional in version 2.6.4.
CVE-2020-11697
PUBLISHED: 2020-06-05
In Combodo iTop, dashboard ids can be exploited with a reflective XSS payload. This is fixed in all iTop packages (community, essential, professional) for version 2.7.0 and in iTop essential and iTop professional packages for version 2.6.4.
CVE-2020-13646
PUBLISHED: 2020-06-05
In the cheetah free wifi 5.1 driver file liebaonat.sys, local users are allowed to cause a denial of service (BSOD) or other unknown impact due to failure to verify the value of a specific IOCTL.