How risky is macro malware, after all?

September 21, 2016
How risky is macro malware, after all?

Macro in computing represents a set of rules or patterns that match a certain input sequence to a specific output sequence, thus serving in automating software functions. They are essentially time-saving ways of launching repetitive tasks, and many organizations need to employ macros on a daily basis in various instances. Yet we have been hearing a lot of macro malware.

The most frequent use of macros that people come across frequently pertains to Microsoft Excel and Microsoft Word. Although in 2007 Microsoft set its default macros to off, their Word suite still holds the possibility to activate macros on demand. In addition, keyboard and mouse also employ macros to allow the automation of frequent specific movements.

Etymologically, macros come from macro instructions, because from a programmer’s point of view, from a small sequence of characters expands a big block of code.

What do macros have to do with cyber-security, more precisely with malware?

Malicious Macro

Running malicious software on a victim’s computer with the help of a downloadable macro file is no news.  Malicious macros were a trend in the early 2000s, yet they made an unpleasant comeback in 2016. Their preferred target – financial organizations and the online banking operations, as the same source mentioned above points out.

The macro-based malware schemes count on social engineering techniques to determine targets to open the infected emails, and then to enable macros. Once these steps are done, the victim opens the door to malicious scripts that either download and install malware, or pave the way for other nasty cyber-security incidents.

Even ransomware found its way into users’ computers via macros, as it was the case for Locky crypto-ransomware – therefore the way macros have been turned into malicious processes is not to be neglected, since the cyber-crime environment has matured compared to the 2000s and new threats have risen.

What is even more unpleasant is that while attacks by macro malware spiked, this infection instruments now employ high-obfuscation algorithms that shadow them from usual anti-malware detectors – see here how obfuscated strings look like.

How risky macros look for the everyday user

Potentially dangerous macros look just like any other document from the point of view of an unaware user. While most of the people are by now circumspect when it comes to downloading .exe email attachments and therefore are reluctant to do so (and companies usually block the emails that contain this type of attachments, just to be on the safe side), opening emailed documents is still a daily task for many staff members, and turning non .exe documents into a cyber weapon is an efficient idea for the malicious entities out there.

Microsoft Office Suite is particularly vulnerable to macro malware attacks because of its Visual Basic for Applications component. VBA code is usually added into files out of reasons such as “office automation, workflow streamlining, or simply doing things faster and more accurately”.

VBA malware, as we mentioned above, makes its unnoticed entrance among daily computer-related tasks, only to become the first step in a more sophisticated cyber-attack. In most of the cases, the second step presumes installing a full-strength malicious .exe file that starts running in the background, serving the purposes of the unknown attackers.

Therefore, running into a full-on malicious macro attack is not as spectacular or uncommon as one might imagine. It is rather unpleasantly likely to become a victim once the basic security measures lack (e.g. cyber-security awareness for employees, disabling VBA macros as a rule, double-checking doubtful emails and so on).

Topping the macro malware attacks

Of course, there are situations that made specialists wonder where is the macro – respectively cyber-attacks that took the same concept to a whole new level. As it often happens in cyber-security, one aggressor is meaner that the other, and the most evil of them all is the one who manages to actually infect the system.

OLE embedding seems to be macro’s meaner relative. This method translates as Office object linking and embedding malicious capabilities that end up tricking users into downloading infected content. It is yet another variation of turning VB scripts into malware carriers, as you may see in detail in this article.

Another evolutionary trait in macro attacks consists of disguising macro malware by renaming infected files so that the MIME type information detector from Microsoft Office would be sidestepped.  Microsoft designed this OfficeOpen XML specially to identify the data structure in files, as an improvement to identifying files just by their extension. This in turn means that regardless of the extension their software will open certain files and execute them according to their content. Cyber-attackers therefore disguise DOCM files containing macros as other files of different formats just by changing the extension. What to the users’ eye seems inoffensive becomes a malicious macro container once opened as a RTF file (for example) because the OOXML standard identifies it as such.

Macro malware protection

What can be done to protect company IT systems from macro-enabled cyber-attacks? We turned towards online sources to browse for recommendations, and here’s what we found:

  • Train your employees in regard with the cyber-security basics (as we have ourselves re-iterated in other articles);
  • Sanitize your on-premises system by using tools and rules, (such as blocking email attachments from unknown sources, scanning files with anti-malware software and updating your defense means regularly);
  • Use secured email gateways if possible, in order to neutralize weaponized attachments and/or strip active codes from Office documents;

Subscribe to our weekly news digest!

Join now and become a part of our fast-growing community.

Invalid Email Address
Thanks for subscribing.
We'll be sending you our best soon.
Something went wrong, please try again later