Macro-based malware evolves to bypass traditional defenses

Macro-based malware is growing into full-featured malware capable of detecting and bypassing traditional security tools, Barkly researchers have discovered.

Macro-based malware: The past

Malware peddlers have been misusing Word macros to deliver malware for nearly fifteen years.

The approach, which takes advantage of the macros’ capability to automatically execute a series of instructions as a single command, has initially been used in the early 2000s.

As users became accustomed to it, this malware delivery tactic was abandoned, only to resurface again in late 2014, allowing criminals to prey on newer generations of computer users.

In the last two years, they have cycled through many different approaches for tricking users into enabling Word macros, but the malicious Word documents usually contained just scripts that would be triggered to download a dropper, which would then download the final malicious payload from a C&C server.

Macro-based malware: The future?

Barkly researchers have recently spotted a new wave of phishing emails that deliver booby-trapped Word documents posing as invoices, and asking users to enable macros in order to view the content:

But this run was unlike many others before it, because the criminals have decided to leverage a second-stage executable payload embedded directly into the Word document.

“One thing that makes this latest version of [well-known downloader] Hancitor stand out is that its payload is already bundled as a binary object directly in the Word doc. It’s this payload that pings the C2 server. What it receives are pointers back to two additional binary objects (one executable and one DLL), which it downloads and executes,” the researchers explained. The executed dynamic linked library (DLL) calls is what allows the attackers access to operating system resources and to grab additional payloads.

The change in approach is an attempt to throw traditional security tools off the malware’s scent.

In this particular spam campaign, Hancitor attempts to drop the Pony and Vawtrak information-stealing Trojans, but it could just as easily be any other type of malware.

Protecting users against macro-based malware

In enterprise setups, employees can be protected through a combination of AV and behavioral-based protection, email filtering, and event monitoring, the researchers advised. Educating users on how to spot malicious emails and phishing attempts, and making sure that they can report incidents easily and without fear of negative repercussions, is also a must.

In Office 2016, Microsoft has added a new feature that allows enterprise administrators to block all macros from running in Office documents that come from the Internet.

Non-enterprise users must still rely on their own capabilities to spot these attempts, but endpoint security solutions and spam filters used by popular email providers can be of great help.