Macro-based malware is making a comeback

Uploaded on 2015-01-29 in TECHNOLOGY-Key Areas-Social Media, NEWS-News Analysis, BUSINESS-Services-IT & Telecoms

For the past several months, different groups of attackers have distributed malware through Microsoft Office documents that contain malicious macros, reviving a technique that has been out of style for more than a decade.

Macros are scripts that contain commands for automating tasks in various applications. Microsoft Office programs like Word and Excel support macros written in Visual Basic for Applications (VBA) and these can be used for malicious activities like installing malware.

To prevent abuse, starting with Office XP, released in 2001, users are asked for permission before executing unsigned macros embedded in files, this being the primary reason why attackers have stopped using macros in favor of other malware distribution methods. However, it seems that when coupled with social engineering the technique can still be effective and some cybercriminal groups have recently started to exploit that.

"The Microsoft Malware Protection Center (MMPC) has recently seen an increasing number of threats using macros to spread their malicious code," malware researchers from Microsoft said in a blog post last Friday.

Two such threats that primarily target users in the U.S. and U.K. and whose activity peaked in mid-December are called Adnel and Tarbir. Both are distributed through macros embedded in .doc and .xls documents that are delivered via spam emails and typically masquerade as receipts, invoices, wire transfer confirmations, bills and shipping notices.

When opened, the documents provide victims with step-by-step instructions on how to enable the untrusted macros to run, the Microsoft researchers said. "The combination of the instructional document, spam email with supposed monetary content, and a seemingly relevant file name, can be enough to convince an unsuspecting user to click the Enable Content button."

Another malware program that's being distributed through macros is called Dridex and it targets online banking users. At their peak in November, the Dridex-related spam campaigns distributed up to 15,000 documents with malicious macros per day, according to researchers from security firm Trustwave.

The documents posed as invoices from software companies, online retailers, banking institutions and shipping companies and some of them had instructions on how to enable the macros to run, the Trustwave researchers said.

It's not just cybercriminals who began using the macros technique again, but also state-sponsored attackers. Researchers Gadi Evron and Tillmann Werner recently presented their analysis of a cyber espionage operation dubbed Rocket Kitten at the Chaos Communication Congress in Hamburg. The attackers targeted government and academic organizations in Israel and Western Europe using spear-phishing emails that contained Excel files with malicious macros. When run, the macros installed a sophisticated backdoor.

Another cyber espionage campaign that used Word documents with malicious macros was CosmicDuke, which was uncovered in September and targeted at least one European Ministry of Foreign Affairs. "It's heartwarming to see how kind the attackers are: when you open the email attachment, the Word document helps you enable macros by instructing you to click 'Enable Content'," researchers from F-Secure said Wednesday in a blog post discussing connections between the CosmicDuke, MiniDuke and OnionDuke malware programs.

Computerworld

 

« News organisations to develop Robot Journalists
New institute to train cyber security talent »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

KoolSpan

KoolSpan

KoolSpan’s security and privacy solutions address the growing threat of loss or theft of intellectual property, information, and proprietary assets.

CyberScout

CyberScout

Cyberscout delivers the latest cybersecurity education, protection and resolutions services. We also provide swift incident response services around the world.

FarrPoint

FarrPoint

FarrPoint is a specialist telecoms consultancy providing a range of services including cyber security assessments and technical assurance to safeguard your data.

RedShield Security

RedShield Security

RedShield is the world's first web application shielding-with-a-service company.

Crashtest Security

Crashtest Security

Crashtest Security is a cyber security company that helps digital companies to continuously create secure software with the help of automated vulnerability assessments.

Cycode

Cycode

Cycode is the industry’s first source code control, detection, and response platform.

Clario Tech

Clario Tech

Clario is a simple, comprehensive, personalized protection app. It comes with a full suite of intelligent security software and intelligent people to help you live a better, safer digital life.

GateKeeper Enterprise

GateKeeper Enterprise

The GateKeeper Enterprise software is an identity access management solution. Automated proximity-based authentication into computers and websites. Passwordless login and auto-lock PCs.

Sekuro

Sekuro

Sekuro is your leading governance and cyber security partner. Building organisational resilience. Enabling fearless innovation.

Curity

Curity

The Curity Identity Server brings identity and API security together, enabling highly scalable and secure user access to digital services.

Prime Technology Services

Prime Technology Services

Prime Tech are a group of Red Hat, Microsoft & Cisco Certified IT Professionals with an impressive track record of consistently delivering value to our corporate clients.

Zitec

Zitec

One of Europe's largest and most prominent full-cycle software development services companies, Zitec is the digital transformation partner to companies in the EU, UK, USA, Canada and ME.

PT Kubus Hitam Indonesia

PT Kubus Hitam Indonesia

Kubus Hitam are a research-based company focused on cyber security. we strongly believe that innovation and safety are the two keywords for the future business market.

SecurityLoophole

SecurityLoophole

SecurityLoophole is an independent cyber security news platform with global coverage. Latest updates, reports, news and events related to cyber security.

Mindflow

Mindflow

Mindflow is dedicated to bringing answers to the challenges the cybersecurity field and beyond face today.

SecureAck

SecureAck

From our A-Op SaaS automation platform to Managed Automation-as-a-Service (MAaaS), SecureAck offer powerful security automation the way that best suits your organisation's needs.