Microsoft Reports Massive Increase in Macros-Enabled Threats

Microsoft is warning of a significant uptick in threats tricking users to enable macros and then infecting them with malicious macros files.

The Microsoft Malware Protection Center says there has been a dramatic increase in threats using macros to spread malware via spam and social engineering over the last month.

Macros are used for automating frequently used tasks in Office. Macro-related infections were constant and near zero daily up until Dec. 4. Infections spiked in mid-December, peaking at just fewer than 8,000 detections on Dec. 17. Infections had fallen since Microsoft moved to disable macros by default.

Macros malware

Macros malware infection per day

However, the first phase of the attack involves a social engineering scheme designed to trick users into enabling macros on their machines. First the user receives a finance-themed spam email with a malicious attachment masquerading as a Microsoft Office document. The attachment is, in reality, a ploy to get the user to enable macros by default. When and if the user enables macros, it executes and downloads its payload, which is one of two separate Trojan downloaders.

By default, the macros in Microsoft Office are set as ‘Disable all macros with notification’. Until they are manually enabled, the malware code cannot run

Thus far, Microsoft has observed two trojans disseminated in this campaign: TrojanDownloader:W97/Adnel and TrojanDownloader:O97M/Tarbir. Each is a downloader capable of installing software, including malware, on the machines it infects.

The Adnel variety is said to be a malicious macro that can be embedded int0 a Microsoft Office file. If opened, Microsoft should issue a warning about enabling macros. If a user chooses to or already has macros enabled, then the malicious code runs. The attackers have dispersed Adnel as malicious .doc and .xls files.

“Upon opening the Microsoft Office file (in this case a Word document), a user will be prompted to enable macros,” the Microsoft Malware Protection Center warned. “By default, the macros in Microsoft Office are set as ‘Disable all macros with notification’. Until they are manually enabled, the malware code cannot run.”

The campaign is targeting users primarily in the United States and the United Kingdom, who have experienced just fewer than and greater than 10,000 detections, respectively. Microsoft has observed other detections in France, Japan, Australia, India, South Africa, Canada, Italy and Germany, though each has far fewer than 1,000 detections.

Macros malware

Macros malware distribution by country

On the victim’s end, users should look out for the following email subject lines: ACH Transaction Report, Doc-file for report is ready, Invoice as required, Invoice – P97291, Order – Y24383, Payment Details, Remittance Advice from Engineering Solutions Ltd and Your Automated Clearing House Transaction Has Been  Put Out.

Malicious attachments deployed in the attack include: 20140918_122519.doc, 813536MY.xls, ACH Transfer 0084.doc, Automated Clearing House transfer 4995.doc, BAC474047MZ.xls, BILLING DETAILS 4905.doc, CAR014 151239.doc, ID_2542Z.xls, Fuel bill.doc, ORDER DETAILS 9650.doc, Payment Advice 593016.doc, SHIPPING DETAILS 1181.doc, SHIP INVOICE 1677.doc and SHIPPING NO.doc.

Suggested articles

Discussion

  • JustSUmGuy on

    Macros are dangerous, hence why MS disables them by default. How is this new? Or is this a "reminder" article?
  • Simon on

    I'm guessing that as the title suggests it's the massive increase of infections using the macro vulnerability that is what's "new" here and why this article has been given prominence.
  • Mark D'Agosta on

    Anyone know of any available statistics or studies of the known sources of viruses/trojans? Before this spike in macro viruses, how were the majority of the being introduced?
    • Anonymous on

      It's all Sony's fault. lol
  • Eli Marcus on

    Spreading infections via macros in Word/Excel documents is not a new attack vector, but the volume of the recent spam/macro campaign is what is apparently alarming. Another method of attack in recent times has been a "weaponized PDF" document - a PDF with a Trojan application attached inside, or containing links to a malware download/infection site. One of the Trojans seen in this recent spam/Word macro campaign is Bugat v4 a.k.a."Dridex" - a "Banker Trojan" know for stealing online banking credentials.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.