Macro-less malware: The cyclical attack

Last year, attackers linked to the Russian hacking group APT28 (sometimes called Fancy Bear) started hacking like its 1999 with Microsoft Word-based malware that doesn’t trigger security warnings along the way. These types of attacks are called “macro-less malware” because they bypass the security warnings added to Microsoft Office programs in response to traditional macro malware like the Melissa virus at the end of the 20th century.

In a November 2017 analysis, security giant McAfee noted one APT28 campaign that used a combination of phishing and macro-less malware to drop spyware onto victim computers.

Macro-less malware exploits a Microsoft protocol called Dynamic Data Exchange (DDE) to run malicious code within Microsoft Office documents. DDE has its legitimate uses too, mainly to share data between applications. In this case, attackers can use DDE to launch other applications, like PowerShell, and execute malicious code.

These new DDE attacks still require some amount of user interaction, just like traditional Office macro attacks. In order for the malicious DDE code to execute, the attacker must convince the victim to disable Protected Mode and click through at least one additional prompt. Where they differ from traditional Office macro attacks though, is how the prompts are framed to the user.

With Microsoft Office 2003 and later, Microsoft changed macro warning prompts to highlight their security implications, using yellow shields and prominent “Security Warning” messages. DDE execution prompts however, are simple grey boxes, sometimes with no mention of security, that ask users “This document contains links that may refer to other files. Do you want to update this document with the data from the linked file?” In other words, DDE is now handled similarly to how traditional macros were handled 20 years ago back in Office ’97. New attack method, but the same user interaction.

Both traditional macro malware and macro-less malware have the same end result – they allow attackers to leverage the Microsoft Windows scripting engine to download and execute malicious payloads. While macros can embed Visual Basic code directly into a Word document, DDE must launch a separate application, like PowerShell, to perform complex tasks like downloading and executing malware.

So why are attackers doing this? Macro-less malware attacks are successful for the same reason that macro malware has stuck around for over 20 years. A large amount of end users simply do not read pop up prompts before clicking “yes.” Attackers often increase their chances of successfully infecting their targets by using social engineering tactics like explicit instructions to accept all prompts in order to “view the important message.” Bad actors are notorious for recycling anything that works, so it’s common for malicious tactics like this to resurface in different forms time and time again.

Luckily, there are steps you can take to protect yourself. In the wake of the APT28 attacks, Microsoft published a security advisory with instructions for enabling DDE controls to disable the protocol entirely. Many advanced malware sandboxing solutions can detect DDE-based malware and stop it from ever entering your network. Most importantly though, end users need to be trained to spot phishing attacks and the social engineering tricks that attackers use to trick their victims into clicking through DDE prompts.

Microsoft has already started to improve Office’s handling of macro-less malware by adding several behind-the-scenes controls to stop malicious DDE code in its tracks. It likely won’t be long until Microsoft improves their DDE security prompts to provide better guidance to would-be victims. But, these prominent security warnings have failed to end macro malware, which means both types of attacks are still something to watch out for in the future. As always, when in doubt, don’t click on anything you don’t understand or expect.