Macros based malware on the rise (Once Again)

Microsoft is observing a major spike in the volume of malware using macros since the beginning of the year. The infection method was very common in the past

I remember when I was starting my career, around 2006 that a lot of the existent malware would arrive to their victims trough Word/Excel macros, and that was fine by then, but now in the year 2015 macros full of malware are on the rise again, but why?

Back in the golden days of macro’s malware, the executing was depending on the option “macros executing automatically”, but new ones are much more evolved and use social engineering to make the user enabling macros.

Early 2015 the Microsoft Malware Protection Center (MMPC) issued an alert about a surge in the infections of malware using macros to spread their malicious code. The researchers at Microsoft have seen a major increase in enable-macros based malware, the most active codes included Adnel and Tarbir.

Last year experts at TrendLabs observed criminal crews using the Windows PowerShell command shell to spread ROVNIX via malicious macro downloaders. Early this year, the experts noticed cyber criminals were using malicious macros in Microsoft Word Windows to spread the banking malwareVAWTRAK.

An actual example of this is the “Dridex” banking Trojan and “TorrentLocker” ransomware, which is being spread through macros. The point where all start is with spam emails that contain the infected macro, those macros include an XML file that will try to trick the users to enable macros.

“XML files are the old binary format for Office docs and once you double click them to open, the file associated with Microsoft Word and opens,” explained researcher at Trustwave Karl Sigler.

Microsoft Malware Protection Center commented about the tricks used:

“The macro malware-laden documents that target email users through email spam are intentionally crafted to pique any person’s curiosity. With subjects that include sales invoices, federal tax payments, courier notifications, resumes, and donation confirmations, users can be easily tricked to read the email and open the attachment without thinking twice,” “The user opens the document, enables the macro, thinking that the document needs it to function properly – unknowingly enabling the macro malware to run.”

When the user bites the bait the malware starts doing what he was written to, downloading payloads, or installing nasty stuff, remote connecting to a server and install more nasty stuff.

So, the advice here it’s the same as in 2006, be sure that macros are disabled by default and always pay attention on what you click and authorize.

About the Author Elsio Pinto

Edited by Pierluigi Paganini

(Security Affairs –  Macros, malware)