December 17, 2015 By Larry Loeb 2 min read

In its “McAfee Labs Threat Report” from November 2015, the security firm found that that macro malware — the big threat of the 1990s — is making a comeback. Researchers from Intel Security noted on Dark Reading that there were four times as many instances of this threat in 2015 compared to last year.

What Is Macro Malware?

Macros are instructions used by some applications, notably Microsoft Word, to get a certain result. In an earlier time, Word executed macros right from the get-go without checking with the user by default. This was a boon for cybercriminals, who could have malicious programs executed immediately upon download. Microsoft has since disabled this behavior, and macros now cannot run without the user’s permission.

The threat was dormant for years, but macro use has recently regained popularity as an infection vector. And it’s not just Word that’s vulnerable these days: Excel files, in which data and associated macros are contained in the same workbook, are also open to such an attack.

The compromised files, which may delivered as email attachments, such as in the Melissa macro attack, often behave normally even after performing their malicious activity. This makes infections even more difficult to detect.

What Happens During an Infection?

A user who enables macros and ignores any warnings that the program may give allows the malware to run after downloading a document. After executing the macro malware, the malware drops one or more .bat, .vbs or .ps files onto the victim’s system, depending upon whether the malware family is Bartallex, Dridex, Donoff or some other downloader. These dropped files will download even more malware such as Upatre, Vawtrak, Chanitor or ZBot.

As the malware runs, an XMLHTTP object is created to exchange data with the server. It continuously sends a connection request to the server using HTTP Send() until it gets a response. Once the connection is established with the decrypted URL, the final payload is downloaded and saved in the specified path on the victim’s machine. Finally, the downloaded binary is executed using the Shell() command.

Attackers usually try to obfuscate macro code via functions ranging from character conversion to complex customized encryption. A huge amount of junk data may resolve itself to one URL in this way.

What Can Be Done?

Simple steps can be used to prevent becoming a victim — most notably not enabling macros. Make sure the default setting for macro security on all Microsoft Office products is set to high.

Iamwire recommended users configure anti-malware software to automatically scan all email and instant message attachments. Make sure email programs do not automatically open attachments or render graphics. Use great caution when opening these attachments, especially when those attachments carry the .doc or .xls extension.

Monitor for unexpected pings to IP addresses such as 1.3.1.2 or 2.2.1.1, etc. from internal computers. This can be an indication of infection.

And as always, beware of spam-based phishing schemes. Don’t click on links in emails from mysterious senders, and ensure all security measures are enabled in your account.

More from

Cloud Threat Landscape Report: AI-generated attacks low for the cloud

2 min read - For the last couple of years, a lot of attention has been placed on the evolutionary state of artificial intelligence (AI) technology and its impact on cybersecurity. In many industries, the risks associated with AI-generated attacks are still present and concerning, especially with the global average of data breach costs increasing by 10% from last year.However, according to the most recent Cloud Threat Landscape Report released by IBM’s X-Force team, the near-term threat of an AI-generated attack targeting cloud computing…

Testing the limits of generative AI: How red teaming exposes vulnerabilities in AI models

4 min read - With generative artificial intelligence (gen AI) on the frontlines of information security, red teams play an essential role in identifying vulnerabilities that others can overlook.With the average cost of a data breach reaching an all-time high of $4.88 million in 2024, businesses need to know exactly where their vulnerabilities lie. Given the remarkable pace at which they’re adopting gen AI, there’s a good chance that some of those vulnerabilities lie in AI models themselves — or the data used to…

FBI, CISA issue warning for cross Apple-Android texting

3 min read - CISA and the FBI recently released a joint statement that the People's Republic of China (PRC) is targeting commercial telecommunications infrastructure as part of a significant cyber espionage campaign. As a result, the agencies released a joint guide, Enhanced Visibility and Hardening Guidance for Communications Infrastructure, with best practices organizations and agencies should adopt to protect against this espionage threat. According to the statement, PRC-affiliated actors compromised networks at multiple telecommunication companies. They stole customer call records data as well…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today