The macro malware-laden documents that target email users through email spam are intentionally crafted to pique any person’s curiosity. With subjects that include sales invoices, federal tax payments, courier notifications, resumes, and donation confirmations, users can be easily tricked to read the email and open the attachment without thinking twice.
The user opens the document, enables the macro, thinking that the document needs it to function properly – unknowingly enabling the macro malware to run.
Just when you think macro malware is a thing of the past, over the past few months, we have seen an increasing macro downloader trend that affects nearly 501,240 unique machines worldwide.
Figure 1: Increasing trend of macro downloaders from April 2014 to 2015
We have seen majority of the macro-malware attacks in the United States and United Kingdom.
Figure 2: Macro downloaders’ prevalence in affected countries
Figure 3: Macro malware distribution heat map
Macro malware infection chain
As stated in the previous macro blog, macro downloaders serve as the gateway for other nasty malware to get in. The following diagram shows how a typical macro downloader gets into the system and deliver its payload.
Figure 4: Macro downloader infection chain
The macro malware gets into your PC as a spam email attachment. The spam email recipient then falls for a social engineering technique, opens the attachment, thereby enabling the macro inside the document.
We have identified some of these macro downloader threats, but not limited to:
When a malicious macro code runs, it either downloads its final payload, or it downloads another payload courier in the form of a binary downloader.
We have observed the following final payload, but is not limited to:
We have also observed the following binary downloaders to be related to these macros, but not limited to:
After the macro malware is downloaded, the job is pretty much done. The torch is passed to either the final payload or the binary downloader.
We have observed the following threats being downloaded by the binary downloaders, but not limited to:
Prevention: How do you close that door?
If you know that social engineering tricks through spam emails open the door to macro malware attacks, what can you do to help protect your enterprise software security infrastructure in closing that door?
Be careful on enabling macros
Macro threats, as payload couriers, seem to gain popularity as an effective infection vector. But unlike exploit kits, these macro threats require user consent to run. To avoid running into trouble because of these macro threats, see Before you enable those macros, for details on prevention.
You can also read more about the macro configuration options to understand the scenarios when you can enable or disable them. See Microsoft Project – how to control Macro Settings using registry keys for details.
Aside from that, be aware of the dangers in opening suspicious emails. That includes not opening email attachments or links from untrusted sources.
If you are an enterprise software security administrator, what can you do?
Most, if not all of the macro malware received are in .doc file format (D0 CF) which are seen in Microsoft Office 2007 and older versions.
If you are in charge of looking after your enterprise software security infrastructure, you can:
- Update your Microsoft security software. Microsoft detects this threat and encourages everyone to always run on the latest software version for protection.
- Ensure that your Trust Center settings are configured not to load older Office versions:
Doing so blocks older Office versions from opening.
- Follow the appropriate Exchange Online Protection instructions to suite your business needs.
- Learn some insights on how Office 365 can help you block spams using machine learning. See First look at Advanced Threat Protection: new tools to stop unknown malware & phishing attacks for details.
- Submit spam and non-spam messages to Microsoft for analysis.
- Enable the Microsoft Active Protection Service (MAPS). Customers using MAPS can take advantage of Microsoft’s cloud protection and are protected with the latest threat variants. MAPS is enabled by default for Microsoft Security Essentials and Windows Defender for Windows 8.1.