Microsoft Warns of Sneaky New Macro Trick

Microsoft warns of new technique to distribute macro malware that can evade standard virus detection, according to security experts.

Microsoft is warning of an innovative new technique attackers are using to sneak macro malware past virus detection engines and add to the already huge uptick in reported macro attacks.

According to researchers at Microsoft’s Malware Protection Center, they stumbled upon the macro technique in a file containing VBA project scripts with a sample of well-known malicious macro malware called TrojanDownloader:O97M/Donoff. It wasn’t the malware that piqued Microsoft’s interest, it was the attacker’s never-before-seen obfuscation technique.

It wasn’t immediately obvious that the macro file was actually malicious, wrote Marianne Mallen and Wei Li, both antivirus researchers at the Microsoft Malware Protection Center, who co-authored a blog post earlier this week on their discovery. “It [was] a Word file that contains seven VBA modules and a VBA user form with a few buttons (using the CommandButton elements),” wrote both authors.

The VBA user form contains three buttons. One of the buttons contained the encrypted URL.

The VBA user form contains three buttons. One of the buttons contained the encrypted URL.

The researchers said at first the VBA modules looked legit. “No malicious code found there … However, after further investigation we noticed a strange string in the Caption field for CommandButton3 in the user form,” the researchers wrote.

As it turned out the attackers were embedding the malware using a “sneaky new trick.” Upon further inspection, Microsoft said the attacker stored commands inside the name of a macro button. When the macro was executed it was directed to decrypt the data string used to name the macro button. Contained in the data string were commands to visit a specific URL where the malware could be downloaded onto the targeted computer from.

“The macro will connect to the URL (hxxp://<uniqueid>) to download a payload which we detect as Ransom:Win32/Locky,” Microsoft wrote.

“After the macro runs, it is instructed to find the button and extract the (button’s) name. Next, takestake that string (or the button’s name) and decrypt it. Then the URL downloads the executable,” commented Ryan Olson, researcher at Palo Alto in an interview with Threatpost. Olson said he has never seen this technique before, but there is nothing remarkable about the macro. “The Microsoft find is yet another iteration of a macro that uses a slightly different technique to evade detection.” He said the technique is slick, but par for the course in the whack-a-mole arms race to trick and detect macros.

According to Palo Alto, macro attacks are on the rise. This year Palo Alto reports 1.2 million instances of the Bartallex family of malware delivered via malicious macro documents. That’s up from last year with 100,000 instances of Bartallex family macro malware.

“We suspect that macro-based attacks are experiencing a resurgence from the late 1990s. There are a whole new pool of victims that don’t remember how dangerous macros were and are learning the hard way to never trust macros unless sent from a 100 percent reliable source,” Olson said.

Suggested articles

biggest headlines 2020

The 5 Most-Wanted Threatpost Stories of 2020

A look back at what was hot with readers — offering a snapshot of the security stories that were most top-of-mind for security professionals and consumers throughout the year.