The Microsoft Malware Protection Center (MMPC) has recently seen an increasing number of threats using macros to spread their malicious code. This technique uses spam emails and social engineering to infect a system.
Using macros in Microsoft Office can help increase productivity by automating some processes. However, malware authors have also exploited these capabilities. Since Microsoft set the default setting to "Disable all macros with notification", the number of macro-related malware threat has declined. More recently we have seen new threats emerging that include some form of social engineering to convince users to manually enable macros and allow the malicious code to run.
Two recent macro downloaders that we have seen spreading through spam email campaigns are TrojanDownloader:W97M/Adnel and TrojanDownloader:O97M/Tarbir. These recent campaigns are one example of an increasing trend of macro malware targeting home users and enterprise customers. These threats predominantly target our customers in the US and UK.
Figure 1: Adnel and Tarbir encounters peaked mid-December, 2014
Figure 2: Regional distribution of Adnel and Tarbir encounters during December 2014
We have seen the spam emails spreading these threats use subject lines such as:
- ACH Transaction Report
- DOC-file for report is ready
- Invoice as requested
- Invoice - P97291
- Order - Y24383
- Payment Details
- Remittance Advice from Engineering Solutions Ltd
- Your Automated Clearing House Transaction Has Been Put On
Figure 3: Recent spam campaigns use usually money-related subject lines to entice users to open the malicious email attachment
Similar to other malware that spreads through malicious binary email attachments (for example, TrojanDownloader:Win32/Upatre), macro malware serve as an infection gateway. Once the gate is opened, in this case by opening the email attachment with macros enabled, whatever is on the other side of the gate (the malware), will enter and infect the system.
We have seen the email attachments in the Adnel and Tarbir campaigns using the attachment file names similar to those below:
- ACH Transfer 0084.doc
- Automated Clearing House transfer 4995.doc
- BILLING DETAILS 4905.doc
- CAR014 151239.doc
- Fuel bill.doc
- ORDER DETAILS 9650.doc
- Payment Advice 593016.doc
- SHIPPING DETAILS 1181.doc
- SHIP INVOICE 1677.doc
- SHIPPING NO.doc
These names are again designed to look like legitimate payment files and use social engineering to convince recipients to open them. Upon opening the Microsoft Office file (in this case a Word document), a user will be prompted to enable macros. By default, the macros in Microsoft Office are set as "Disable all macros with notification". Until they are manually enabled, the malware code cannot run.
Imagine this blocking of untrusted macros is the lock on the gate, and the key to open the lock is user consent. A simple click enables the untrusted macro to run, which give the malware access to the system. This is where another social engineering trick comes in. The malware authors provide step-by-step instructions to trick the user to enable the untrusted macros by.
The following screenshot shows the contents of a spam email attachment spreading TrojanDownloader:O97M/Tarbir.
Figure 4: The malware masquerades itself as a Microsoft Office notification to mislead users into enabling macros
The combination of the instructional document, spam email with supposed monetary content, and a seemingly relevant file name, can be enough to convince an unsuspecting user to click the Enable Content button. When they do, the macro executes and downloads its payload, which is to download other malware, including TrojanDownloader:Win32/Drixed.B.
To avoid further infection from these malware types, keep this in mind:
- A file which contains a receipt or billing statement, most of the time does not need to have any macros in it.
- Be cautious of unsigned macros and macros from an untrusted source. Macro malware are usually unsigned.
- Some macro malware leave the document intentionally empty, relying on the user to think that they need to enable the macro so that they can see something. Beware of such tricks.
Microsoft security products, such as Microsoft Security Essentials, include detection for TrojanDownloader:W97M/Adnel and TrojanDownloader:O97M/Tarbir. To help stay protected we recommend you keep your security software up-to date.