VBA malware is back!
“VBA malware is far from dead. In fact, as Sophos researchers recently noted, approximately 50 to 100 new VBA malware samples are spotted each day.
For those who don’t know, VBA (Visual Basic for Applications) is Microsoft’s implementation of Visual Basic that’s built in many of its software, including its Office suite, and is used for automating tasks.
Unfortunately, if the VBA code is malicious and is inserted in, for example, a Word file, it will execute automatically once the file is opened.
The worst thing is that attackers don’t even have to know how to program in VBA – there’s plenty of malware templates that can be bought online and are easily modified/adapted to their needs.
“Usually, VBA malware isnt self-contained, but instead acts as whats called a downloader,” Sophos’ Paul Ducklin explains. “The VBA simply goes online, connects to a server under the control of the crooks, and fetches a malicious .EXE file without asking you.”
VBA malware is a simple way to covertly deliver malware. Lately that malware is usually an info-stealer (Dridex) or a banking Trojan (Zbot) or ransomware (CryptoWall).
“Users who wouldnt dream of opening .EXE files (executable programs) that they received via email might very well open .DOC and .DOCX files (Word documents), even unexpected ones that might very well contained equally unexpected VBA programs,” Ducklin points out. It’s no wonder than that malware peddlers continue using it.
Still, they are trying to implement some changes so that more users fall for the scheme, and AV software and malware analysts have more problems spotting and analyzing it.
To attain that first goal, they are packing the VBA malware in unexpected documents: .XML, .MHTML, .RTF, or .PDF files.
To achieve the other two they obfuscate the malicious code and “complicate” it on purpose so that it can throw off AV software.
Luckily, it’s easy to protect oneself against the threat of VBA malware: disable VBA macros in Word and other apps that might be targeted, and don’t enable them if a untrusted documents tells you to (click on the screenshot to enlarge it):
Enterprise admins can also make sure that Office files containing macros and emailed from outside of the organization are blocked before landing in employees’ inboxes.”