Six key facts about malicious macros and the cybercrime economy

“Cybercrime is big business and criminals are increasingly exploiting people to circumvent automated protection systems. Cybercriminals have, in the last nine months, increasingly returned to cost-effective macros to reach more targets and see a greater return on their financial investment.


Proofpoint combined technical analysis of malware samples from top malicious macro developers with investigation of underground cybercriminal forums, and found that the high success rates and cost-effectiveness of malicious macros have rapidly and significantly altered the landscape of email-borne threats.

Before the latter half of 2014, cybercriminals relied overwhelmingly on malicious URLs to deliver malware in high-volume unsolicited email phishing campaigns.

Tactics shifted significantly in September 2014 as organized cybercriminal phishing campaigns, spreading primarily the Dridex banking Trojan, adopted malicious Microsoft Word document attachments as their primary delivery vehicle.

Heading into mid-2015, this trend continues to accelerate with Proofpoint researchers recording 56 different Dridex campaigns between April-May 2015 delivering, in some cases, several million email messages containing Dridex documents in a single day.

Six key facts include:

1. Campaigns rely heavily on the human factor. Deceptively simple and flexible malicious macros, which have replaced URL-based threats with attachment-based campaigns as the dominant threat, are rooted in their ability to use phishing techniques to exploit the human factor and trick an end user into clicking, thus avoiding many automated sandboxing checks.

2. Macros campaigns are increasingly sophisticated and evade many modern detection tactics including sandboxes. Todays macros campaigns are highly successful at evading not only traditional signature and reputation-based defenses, but also newer behavioral sandboxes.

3. Effectiveness is a primary driver. The high success rates and cost-effectiveness of increasingly sophisticated malicious macros have driven the shift in malware-based email attacks.

4. Malicious macro attachment campaigns have grown in both size and frequency. Proofpoint expects malicious macros campaigns will continue to grow until either the cost increases or effectiveness decreases to the point that significant ROI is no longer delivered.

5. Sophisticated actors lead the campaigns. Although malicious macros offer a low barrier to entry for attackers, the predominant campaigns are still driving malware, including Dyre and Dridex. Only the most sophisticated attackers have the expertise to successfully utilize these campaigns.

6. Lower cost and high accessibility promote attacker success. The budget for a malicious document (or maldoc) campaign can range from zero to $1,000. Also, attachment-based unsolicited email campaigns may exceed exploit kits (EKs) in popularity. While there are a range of spamming services available, most EK services are sold in private circles and are not readily available to entry- to mid-level criminals.

Attacks relying on Macros haven’t let age dull their ability to wreak havoc on a network, with a variety of tricks designed to convince recipients into enabling them in Microsoft Word, believes Chris Boyd, Malware Intelligence Analyst at Malwarebytes.

“Claiming that the words in a document have been “encrypted”, or the file is corrupted and requires enabled Macros in order to view it will cut through an unwary organization’s defenses if not careful. Training up employees on the dangers of phishing is always a good idea, but we need to ensure we make them aware of the perils brought about by hackers turning some of those same social engineering tricks towards their malicious attachments. For many businesses, all that may stand between them and days of non-productivity might be a single employee and an “Enable content” button,” Boyd added.”