Macro-based malware is making a comeback

Uploaded on 2015-01-29 in TECHNOLOGY-Key Areas-Social Media, NEWS-Cybersecurity News, BUSINESS-Services-IT & Telecoms

For the past several months, different groups of attackers have distributed malware through Microsoft Office documents that contain malicious macros, reviving a technique that has been out of style for more than a decade.

Macros are scripts that contain commands for automating tasks in various applications. Microsoft Office programs like Word and Excel support macros written in Visual Basic for Applications (VBA) and these can be used for malicious activities like installing malware.

To prevent abuse, starting with Office XP, released in 2001, users are asked for permission before executing unsigned macros embedded in files, this being the primary reason why attackers have stopped using macros in favor of other malware distribution methods. However, it seems that when coupled with social engineering the technique can still be effective and some cybercriminal groups have recently started to exploit that.

"The Microsoft Malware Protection Center (MMPC) has recently seen an increasing number of threats using macros to spread their malicious code," malware researchers from Microsoft said in a blog post last Friday.

Two such threats that primarily target users in the U.S. and U.K. and whose activity peaked in mid-December are called Adnel and Tarbir. Both are distributed through macros embedded in .doc and .xls documents that are delivered via spam emails and typically masquerade as receipts, invoices, wire transfer confirmations, bills and shipping notices.

When opened, the documents provide victims with step-by-step instructions on how to enable the untrusted macros to run, the Microsoft researchers said. "The combination of the instructional document, spam email with supposed monetary content, and a seemingly relevant file name, can be enough to convince an unsuspecting user to click the Enable Content button."

Another malware program that's being distributed through macros is called Dridex and it targets online banking users. At their peak in November, the Dridex-related spam campaigns distributed up to 15,000 documents with malicious macros per day, according to researchers from security firm Trustwave.

The documents posed as invoices from software companies, online retailers, banking institutions and shipping companies and some of them had instructions on how to enable the macros to run, the Trustwave researchers said.

It's not just cybercriminals who began using the macros technique again, but also state-sponsored attackers. Researchers Gadi Evron and Tillmann Werner recently presented their analysis of a cyber espionage operation dubbed Rocket Kitten at the Chaos Communication Congress in Hamburg. The attackers targeted government and academic organizations in Israel and Western Europe using spear-phishing emails that contained Excel files with malicious macros. When run, the macros installed a sophisticated backdoor.

Another cyber espionage campaign that used Word documents with malicious macros was CosmicDuke, which was uncovered in September and targeted at least one European Ministry of Foreign Affairs. "It's heartwarming to see how kind the attackers are: when you open the email attachment, the Word document helps you enable macros by instructing you to click 'Enable Content'," researchers from F-Secure said Wednesday in a blog post discussing connections between the CosmicDuke, MiniDuke and OnionDuke malware programs.

Computerworld

 

« News organisations to develop Robot Journalists
New institute to train cyber security talent »

ManageEngine
CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

ZenGRC

ZenGRC

ZenGRC (formerly Reciprocity) is a leader in the GRC SaaS landscape, offering robust and intuitive products designed to make compliance straightforward and efficient.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

Japan Network Security Association (JNSA)

Japan Network Security Association (JNSA)

JNSA's goal is to promote standardization related to network security and to contribute to greater technological standards in the field.

Sentropi

Sentropi

Sentropi is an online protection solution against charge backs, account takeovers, identity thefts and online scams.

SentryBay

SentryBay

SentryBay is the global leader in preventative endpoint isolation protection. We protect remote, BYOD and corporate endpoints so they can safely and securely connect with your corporate network.

SQNetworks

SQNetworks

SQNetworks provides a full range of cybersecurity consultancy, services and solutions.

Entel CyberSecure

Entel CyberSecure

Entel CyberSecure is a portfolio of Cybersecurity solutions and services for the protection, defense, risk management and regulatory compliance of ICT Systems for corporations and Government.

Expanse

Expanse

Expanse SaaS-delivered products plus service expertise reduce your internet edge risk to prevent breaches and successful attacks.

Plug and Play Tech Center

Plug and Play Tech Center

Plug and Play is the ultimate innovation platform, bringing together the best startups and the world’s largest corporations.

Connectria

Connectria

Connectria provides cloud hosting, remote monitoring, and compliant cloud security solutions and services to enterprises, medium and small businesses.

Early Birds

Early Birds

Early Birds is a Business to Business (B2B) marketplace for Innovators (Startups/Scaleups) and Early Adopters to exchange value early on.

SAM Seamless Network

SAM Seamless Network

SAM Seamless Network is a cybersecurity technology platform that protects the connected home, by tackling cyber security threats at the source.

JFrog

JFrog

JFrog is on a mission to enable continuous updates through Liquid Software, empowering developers to code high-quality applications that securely flow to end-users with zero downtime.

Three Wire Systems

Three Wire Systems

Three Wire is a leader in innovative and efficient technology solutions for government agencies and large enterprise corporations.

Skyhigh Security

Skyhigh Security

Skyhigh Security enables your remote workforce while addressing your cloud, web, data, and network security needs.

HEAL Security

HEAL Security

HEAL Security is the global authority for cybersecurity data, research and insights across the healthcare sector.

NetAlly

NetAlly

NetAlly network test solutions help engineers and technicians better deploy, manage, maintain, and secure today’s complex wired and wireless networks.

UKON

UKON

UKON is the free cyber insurance marketplace for MSPs, agencies and partners to turn risk into revenue.