After having “rediscovered” the usefulness of MS Office macros, malware peddlers have been ramping up email spam runs delivering documents that request users to enable them.
Those that do open the door for macro-based Trojans droppers and, consequently, other malware.
The Upatre downloader is still the most popular way to deliver malware – usually the Zeus info-stealer or, more recently, crypto-ransomware – but macro-based malware is slowly gaining traction:
“Spam with macro-based malware typically make use of social engineering lures like remittance and invoice notifications, emails related to tax and payment slips, payment confirmation, purchase orders, etc. Most of the spammed emails even contain so-called shipping codes in the email subject to appear authentic,” explains Trend Micro research engineer Maydalene Salvador.
The latest spam run using this tactic is a fake Air Canada e-ticket with faulty airline information attached in the form of a .DOC file.
When opened, the file shows a jumble of symbols and special characters and asks the user to enable macros to “decode” the message. Doing so allows the download and running of several malicious files that will enable the download od additional malware.
It’s good to note that macro-related spam can also include .DOC, .DOCM, .XLS, and .XLSM files.
“As always we recommend that users exercise caution when opening email attachments, even those from familiar or known senders,” says Salvador. “Ignore emails sent from unknown email addresses and especially avoid opening any type of attachments they may have. As an added measure, make sure to enable the macro security features in applications.”