December 17, 2015 By Larry Loeb 2 min read

In its “McAfee Labs Threat Report” from November 2015, the security firm found that that macro malware — the big threat of the 1990s — is making a comeback. Researchers from Intel Security noted on Dark Reading that there were four times as many instances of this threat in 2015 compared to last year.

What Is Macro Malware?

Macros are instructions used by some applications, notably Microsoft Word, to get a certain result. In an earlier time, Word executed macros right from the get-go without checking with the user by default. This was a boon for cybercriminals, who could have malicious programs executed immediately upon download. Microsoft has since disabled this behavior, and macros now cannot run without the user’s permission.

The threat was dormant for years, but macro use has recently regained popularity as an infection vector. And it’s not just Word that’s vulnerable these days: Excel files, in which data and associated macros are contained in the same workbook, are also open to such an attack.

The compromised files, which may delivered as email attachments, such as in the Melissa macro attack, often behave normally even after performing their malicious activity. This makes infections even more difficult to detect.

What Happens During an Infection?

A user who enables macros and ignores any warnings that the program may give allows the malware to run after downloading a document. After executing the macro malware, the malware drops one or more .bat, .vbs or .ps files onto the victim’s system, depending upon whether the malware family is Bartallex, Dridex, Donoff or some other downloader. These dropped files will download even more malware such as Upatre, Vawtrak, Chanitor or ZBot.

As the malware runs, an XMLHTTP object is created to exchange data with the server. It continuously sends a connection request to the server using HTTP Send() until it gets a response. Once the connection is established with the decrypted URL, the final payload is downloaded and saved in the specified path on the victim’s machine. Finally, the downloaded binary is executed using the Shell() command.

Attackers usually try to obfuscate macro code via functions ranging from character conversion to complex customized encryption. A huge amount of junk data may resolve itself to one URL in this way.

What Can Be Done?

Simple steps can be used to prevent becoming a victim — most notably not enabling macros. Make sure the default setting for macro security on all Microsoft Office products is set to high.

Iamwire recommended users configure anti-malware software to automatically scan all email and instant message attachments. Make sure email programs do not automatically open attachments or render graphics. Use great caution when opening these attachments, especially when those attachments carry the .doc or .xls extension.

Monitor for unexpected pings to IP addresses such as 1.3.1.2 or 2.2.1.1, etc. from internal computers. This can be an indication of infection.

And as always, beware of spam-based phishing schemes. Don’t click on links in emails from mysterious senders, and ensure all security measures are enabled in your account.

More from

3 Strategies to overcome data security challenges in 2024

3 min read - There are over 17 billion internet-connected devices in the world — and experts expect that number will surge to almost 30 billion by 2030.This rapidly growing digital ecosystem makes it increasingly challenging to protect people’s privacy. Attackers only need to be right once to seize databases of personally identifiable information (PII), including payment card information, addresses, phone numbers and Social Security numbers.In addition to the ever-present cybersecurity threats, data security teams must consider the growing list of data compliance laws…

ICS CERT predictions for 2024: What you need to know

4 min read - As we work through the first quarter of 2024, various sectors are continuously adapting to increasingly complex cybersecurity threats. Sectors like healthcare, finance, energy and transportation are all regularly widening their digital infrastructure, resulting in larger attack surfaces and greater risk exposure.Kaspersky just released their ICS CERT Predictions for this year, outlining the key cybersecurity challenges industrial enterprises will face in the year ahead. The forecasts emphasize the persistent nature of ransomware threats, the increasing prevalence of cosmopolitical hacktivism, insights…

Can memory-safe programming languages kill 70% of security bugs?

3 min read - The Office of the National Cyber Director (ONCD) recently released a new report, “Back to the Building Blocks: A Path Toward Secure and Measurable Software." The report is one of the first major announcements from new ONCD director Harry Coker and makes a strong case for adopting memory-safe programming languages. This new focus stems from the goal of rebalancing the responsibility of cybersecurity and realigning incentives in favor of long-term cybersecurity investments. Memory-safe programming languages were also included as a…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today