Malware that uses macros as part of its infection method has been around for more than a decade, and was one of the first major techniques to drive changes at software vendors such as Microsoft. The tactic has been making a comeback of late, and Microsoft is seeing a major spike in the volume of malware using macros since the beginning of the year.
Last month, researchers at Trustwave reported an increase in email messages carrying the Dridex banking Trojan that used macros as part of the infection chain. Those messages carried XML messages and tried to trick users into enabling macros in order to execute the malicious code.
“XML files are the old binary format for Office docs and once you double click them to open, the file associated with Microsoft Word and opens,” said Karl Sigler, Trustwave threat intelligence manager.
The recent wave of spam messages that Microsoft has been tracking, also uses social engineering tactics to dupe users into enabling macros. In many enterprises, macros are disabled by default, a result of the major problems that macro-connected malware caused in the 2000s. Such malware mostly disappeared from the scene for the last few years, but attackers have begun to revive the technique, with some success. Microsoft researchers say they have seen the malware affecting more than 500,000 machines in the last few months. The largest number of infections have been seen in the United States and the United Kingdom.
“The macro malware-laden documents that target email users through email spam are intentionally crafted to pique any person’s curiosity. With subjects that include sales invoices, federal tax payments, courier notifications, resumes, and donation confirmations, users can be easily tricked to read the email and open the attachment without thinking twice,” the Microsoft Malware Protection Center wrote in an analysis of the attacks.
“The user opens the document, enables the macro, thinking that the document needs it to function properly – unknowingly enabling the macro malware to run.”
Once the macro runs, the malware either downloads the final payload or installs a second downloader, which then reaches out to a remote server and installs a Trojan. After that, the malware is off and running and the user is in big trouble. The best defense against this kind of attack is to make sure macros are disabled by default and to educate users about the danger of enabling them.