Threats 101
The Barkly Team
May 2017

Macro Malware that Bypasses AV: What You Need to Know

Hiding malicious macros inside Microsoft Office docs has once again become one of the most popular ways for criminals to launch their attacks. Here's everything you need to know about macro malware in 2017.

Unless you’re a newbie to the IT security business, you probably remember when Microsoft Office macros became one of the most popular means of malware delivery in the late 1990s and early 2000s. When Microsoft and others finally locked down their macro mechanisms, the frequency of macro-based malware declined sharply and attackers moved on to other methods of infiltration.

But now macro malware has made a comeback, with criminals using it to prey on end-users to get past conventional signature-based AV solutions. It’s also no longer just a Windows problem — macro malware has made the move to Mac, too.

In this post, we’ll take a look at exactly what macro malware is, how it operates, and how you can keep it from rearing its head inside your organization. But first...

What are macros?

Macros are small programs embedded inside another program that automate repetitive tasks.

For example, an accountant might embed a macro into Excel that pulls data from an external database. Or, a Word macro could be used to automate common processes, like adding a digital letterhead to documents or populating reports with a pre-formatted table. They’re also used often in payroll and business intelligence applications.

Macros are simple and easy to configure, requiring no programming experience: creators basically “record” the procedure, then play back the macro each time they want to repeat that process. The simplicity, efficiency, and time savings macros afford make them quite popular, especially for Office programs like Word and Excel — which is also what makes macro malware so effective…the classic double-edged sword.

The evolution of macro malware

When Microsoft introduced macro capabilities into its Office suite, the automated scripts were enabled by default. That meant when one individual emailed a macro-embedded Word or Excel document to another, the macro automatically executed when the receiver opened the document. Malware authors soon exploited this functionality, embedding malware executables as macros and emailing the documents to unwitting targets.

Microsoft and others eventually disabled the automatic execution, instead requiring users to manually enable macros on any incoming document. Between that and users becoming wise to the risk of opening suspicious documents or those from uncertain sources, macro malware took a nosedive.

Over the last few years, however, we’ve seen a resurgence of attackers using macros as first-stage downloaders that install their final payloads (typically ransomware or trojans). Here are a few of the most common threats today:

  • Both Locky ransomware and the Dridex banking trojan are primarily distributed via phishing emails that trick victims into opening Microsoft Office attachments with malicious macros.
  • Infected Excel macros enabled a BlackEnergy infection at a Ukrainian power company, causing an outage that impacted some 225,000 people in the dead of winter.
  • Hacitor, another Word macro-based malware, drops Pony and Vawtrak trojans onto the network to steal confidential information, passwords and/or credentials.

In fact, according to Symantec's 2017 Internet Security Threat Report, the most common attack pattern in 2016 involved criminals either fooling victims into downloading either a JavaScript file or a Microsoft Office file with macros.


Symantec 2017 ISTR

What makes macro malware so effective — and difficult to stop?

Macro malware is a favorite of hackers for several reasons:

1) It uses a nearly universally accepted file type to sneak in on

Attackers are able to capitalize on the fact that using and sharing Office documents is baked into most users’ day-to-day work. They don’t have to trick users into downloading suspicious executable files that many AV programs would block anyway. Instead, hackers deliver familiar-looking documents, like reports, invoices, spreadsheets, etc. via phishing emails. All they have to do is make the email itself look convincing enough to get the user to open the document.

2) Macros are easy to weaponize

Macro malware leverages the scripting mechanisms in Microsoft Office, which are usually written in Visual Basic or JavaScript, and anyone with basic programming knowledge can write simple macro malware. Because Visual Basic allows very limited functionality, modern malware macros typically send a request out to a target server to grab a subsequent stage (just like legitimate macros might pull in data from another source), and that second stage is what typically does the dirty work.

3) Hackers hack the humans as much as the machines

While Microsoft may have disabled macros by default in order to thwart macro malware, users often still have the option to re-enable them, and in a busy work environment it’s easy to become blind or indifferent to warnings and alerts. Unfortunately, that can give macro malware direct access to their machines and potentially the entire company’s network, data, and infrastructure.

What can you do?

Here are a few options for protecting your organization from macro malware, listed from most to least demanding:

Disable macros across the entire organization

While it might be a natural conclusion to jump to, simply disabling macros entirely, company-wide isn't always a practical option. Some software and business processes rely on macros for functionality (like Business Intelligence solutions and accountants).


What about only allowing authorized macros? Maybe. Macros do have a signature format that can support allowing only digitally-signed macros to run, but that’s difficult to maintain from an IT perspective, especially as an organization grows.

Invest in user security awareness training

Microsoft has ramped up macro protection of its Office 2016 and 2013 suites, but as with many other forms of malware, employee education is critical. Train users to spot phishing emails and emphasize the importance of keeping macros disabled — only enabling them if they’re absolutely certain the document and the sender are legit.

Don't just rely on antivirus — use smarter, stronger protection

As the last, most reliable line of protection against malicious macros, use an endpoint protection platform like Barkly that can spot the tell-tale signs of macro-based attacks in system activity and block them automatically before any damage is done.

Rather than just scanning files and attempting to guess which ones are malicious, Barkly monitors for suspicious activity, so even if macro malware does get past traditional AV, it won’t have a chance to execute. Watch it in action in the video below:

Learn more about how Barkly provides powerful protection with refreshingly simple management. Get the details.

The Barkly Team

The Barkly Team

Providing the latest security alerts and updates with context that makes them useful.


2017 Malware Trends in Review

How attacks are evolving and what to expect next.

Get my report


Stay informed!

Get the latest security news, tips, and trends straight to your inbox.

Stay informed!

Get the latest security news, tips, and trends stright to your inbox.