Malware authors have a rediscovered their love for Visual Basic, as the percentage of macro based malware rose from around 6% of all document malware in June to 28% in July, Sophos researchers have found.
Gabor Szappanos, principal researcher at SophosLabs, explained in a paper published earlier this year the advantages of Visual Basic code over exploits: “Visual Basic code is easy to write, flexible and easy to refactor. Similar functionality can often be expressed in many different ways which gives malware authors more options for producing distinct, workable versions of their software than they have with exploits.”
Exploits, on the other hands, are more difficult to modify to evade AV detection and still be able to work as intended.
Another advantage of Visual Basic code over exploits is that it will work in all versions of Microsoft Office, not just the ones that are vulnerable to that particular exploit.
And even though Microsoft has made it so that all macros from untrusted sources are disabled by default, malware authors have been using social engineering to trick users into enabling them (click on the screenshot to enlarge it):
Learning and writing in Visual Basic for Applications (VBA) is extremely easy, researchers note, but even if malicious actors don’t have that knowledge, there are a number of VBA downloader templates that can be bought online.
“The samples in question contain Visual Basic code with helpful comments as to where authors should insert a malicious link as well as details of methods for obfuscating the code,” the researchers explained.
In the example pictured above, once the macros are enabled and the document is reopened, the malware checks for the presence of the PowerShell task automation management framework.
If it’s present, it is used to execute encoded scripts, and inject the shellcode into memory, which ultimately establishes a reverse shell on the affected computer, meaning that the attacker has gained full remote access to it and is free to tinker around.
“If the host machine does not have PowerShell installed the sample simply reverts to injecting shellcode using good old Visual Basic,” the researchers pointed out, but noted that, despite its effectiveness, VBA shellcode injection is currently very rarely used, because it improves the chances of the malware being detected by security software.