Microsoft observed a significant increase in macros based malware

The Microsoft Malware Protection Center (MMPC) has recently observed a surge in the infections of malware using macros to spread their malicious code.

The Microsoft Malware Protection Center (MMPC) is warning Office users on the diffusion of malicious macros through email attachments or social engineering websites. A macro is a series of commands and instructions that could be grouped in a single command to accomplish frequently used tasks automatically.

In the recent months, the experts at MMPC have observed a significant increase in enable-macros based malware, the most active codes include Adnel and Tarbir.

“Two recent macro downloaders that we have seen spreading through spam email campaigns areTrojanDownloader:W97M/Adnel and TrojanDownloader:O97M/Tarbir. These recent campaigns are one example of an increasing trend of macro malware targeting home users and enterprise customers. These threats predominantly target our customers in the US and UK.” states the official blog post published by Microsoft.

Both malware was detected in several attacks targeting the US- and UK-based home users and enterprise customers.

The attack vector for both malware is the email, the malicious binary is served with an attachment that operates as infection gateway. The attachments came in the form of .doc or .xls files that appear to contain information related to a legitimate payment. The social engineering technique used in the attacks, exploits malicious emails with subject lines such as Payment details, Invoice – P97291, Order-Y24383, DOC file for report is ready, Invoice as requested, and so on.

Once the user is tricked into opening the malicious attachment, it prompts him to enable macros manually because Microsoft Office’s default settings are set to “Disable all macros with notification.”

“The combination of the instructional document, spam email with supposed monetary content, and a seemingly relevant file name, can be enough to convince an unsuspecting user to click the Enable Content button,” continues the MMPC report.

Once enabled the content the malware infects the targeted machine.

To avoid to be infected by the malware Microsoft suggests a few simple practices:

A file which contains a receipt or billing statement, most of the time does not need to have any macros in it.
Be cautious of unsigned macros and macros from an untrusted source. Macro malware are usually unsigned.
Some macro malware leave the document intentionally empty, relying on the user to think that they need to enable the macro so that they can see something. Beware of such tricks.

Pierluigi Paganini

(Security Affairs – Microsoft macros, malware)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.