Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Partner Perspectives  Connecting marketers to our tech communities.
12/15/2015
02:30 PM
Vincent Weafer
Vincent Weafer
Partner Perspectives
50%
50%

Macro Malware Is Back

Social engineering drives macro malware levels to six-year highs.

“Warning: This document contains macros.” A familiar message from the 1990s is back, as attackers find new ways to get people to open documents containing macro malware. This updated threat is targeted at users in large organizations that frequently use macros. Carefully crafted and socially engineered emails entice users to open seemingly legitimate documents and then enable the macro. According to the latest McAfee Labs Threats Report, incidents of malicious macros have increased by a factor of four in the last year.

The most popular macro malware targets are Microsoft Office documents, especially Word files. Word allows macros to run automatically, for example when a user opens a document, closes it, or creates a new one. These commands are commonly used by both legitimate and malicious macros.

The path to a broad-based system infection through macro malware typically starts with an email attachment made to appear like something legitimate, often socially engineered to fit the targeted user. Common subject lines include phrases such as payment request, courier notification, resume, sales invoice, or donation confirmation. The text of the email matches the subject line with enough information to get the attachment opened, including official-looking signatures and logos 

Once opened, the security features in Microsoft Office will warn users that the file contains macros and ask if they want to enable them. Some of these files have large text proclaiming that they are protected and that macros must be enabled to view them. If the user clicks “Enable,” the malicious code executes, dropping a malware downloader onto the system that will bring in the real malware payload, and then often deleting itself afterward. The malicious code can also be embedded in the document as an Active Object, which also generates warnings when clicked, but many users may not be familiar with the threat potential of these files.

One of the biggest changes to macro malware since the last big infestation is its current ability to hide, making it much more difficult to detect. Macro malware authors have adopted several techniques from other types of malware, including adding junk code and writing complex encrypted strings. Junk code is just that -- code that is never intended to execute but can be easily generated and frequently changed to defeat signature-detection algorithms and confuse threat researchers. More complicated is the use of multiple simple functions such as character conversion to hide the malicious URL from email gateways and malware keyword scanners.

The simplicity and ease of coding macros makes them accessible to a wide range of criminals with minimal tech skills. As a result, the potential reach and effectiveness of macro malware means that businesses should re-educate users about this threat. Furthermore, the operating system and applications should be kept up to date, and macro security settings on all Microsoft Office products should be set to high. Email applications should not automatically open attachments. Email gateways and virus scanners should also be configured to scan for and filter email attachments containing macros.

For more information on the recent outbreak of macro malware, please visit http://www.mcafee.com/November2015ThreatsReport.

 

Vincent Weafer is Senior Vice President of Intel Security, managing more than 350 researchers across 30 countries. He's also responsible for managing millions of sensors across the globe, all dedicated to protecting our customers from the latest cyber threats. Vincent's team ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
RyanSepe
100%
0%
RyanSepe,
User Rank: Ninja
12/15/2015 | 3:41:36 PM
1990's
I was going to say the title reminds me of the prevalence in the 1990's but first line beat me to it.
johnl929
50%
50%
johnl929,
User Rank: Apprentice
12/22/2015 | 1:45:56 AM
Re: 1990's
Hahaha Just what i was thinking!!  :)
gsatpathy
50%
50%
gsatpathy,
User Rank: Apprentice
1/22/2016 | 4:34:54 AM
user training is the solution
An user training is the solution to such mawares. User need to know how to configure Email gateways and virus scanners to scan for and filter email attachments containing macros.
Why Cyber-Risk Is a C-Suite Issue
Marc Wilczek, Digital Strategist & CIO Advisor,  11/12/2019
Black Hat Q&A: Hacking a '90s Sports Car
Black Hat Staff, ,  11/7/2019
The Cold Truth about Cyber Insurance
Chris Kennedy, CISO & VP Customer Success, AttackIQ,  11/7/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-16863
PUBLISHED: 2019-11-14
STMicroelectronics ST33TPHF2ESPI TPM devices before 2019-09-12 allow attackers to extract the ECDSA private key via a side-channel timing attack because ECDSA scalar multiplication is mishandled, aka TPM-FAIL.
CVE-2019-18949
PUBLISHED: 2019-11-14
SnowHaze before 2.6.6 is sometimes too late to honor a per-site JavaScript blocking setting, which leads to unintended JavaScript execution via a chain of webpage redirections targeted to the user's browser configuration.
CVE-2011-1930
PUBLISHED: 2019-11-14
In klibc 1.5.20 and 1.5.21, the DHCP options written by ipconfig to /tmp/net-$DEVICE.conf are not properly escaped. This may allow a remote attacker to send a specially crafted DHCP reply which could execute arbitrary code with the privileges of any process which sources DHCP options.
CVE-2011-1145
PUBLISHED: 2019-11-14
The SQLDriverConnect() function in unixODBC before 2.2.14p2 have a possible buffer overflow condition when specifying a large value for SAVEFILE parameter in the connection string.
CVE-2011-1488
PUBLISHED: 2019-11-14
A memory leak in rsyslog before 5.7.6 was found in the way deamon processed log messages are logged when $RepeatedMsgReduction was enabled. A local attacker could use this flaw to cause a denial of the rsyslogd daemon service by crashing the service via a sequence of repeated log messages sent withi...