Report: Macro Malware Making a Comeback

December 17, 2015 @ 10:45 AM
| |
2 min read

In its “McAfee Labs Threat Report” from November 2015, the security firm found that that macro malware — the big threat of the 1990s — is making a comeback. Researchers from Intel Security noted on Dark Reading that there were four times as many instances of this threat in 2015 compared to last year.

What Is Macro Malware?

Macros are instructions used by some applications, notably Microsoft Word, to get a certain result. In an earlier time, Word executed macros right from the get-go without checking with the user by default. This was a boon for cybercriminals, who could have malicious programs executed immediately upon download. Microsoft has since disabled this behavior, and macros now cannot run without the user’s permission.

The threat was dormant for years, but macro use has recently regained popularity as an infection vector. And it’s not just Word that’s vulnerable these days: Excel files, in which data and associated macros are contained in the same workbook, are also open to such an attack.

The compromised files, which may delivered as email attachments, such as in the Melissa macro attack, often behave normally even after performing their malicious activity. This makes infections even more difficult to detect.

What Happens During an Infection?

A user who enables macros and ignores any warnings that the program may give allows the malware to run after downloading a document. After executing the macro malware, the malware drops one or more .bat, .vbs or .ps files onto the victim’s system, depending upon whether the malware family is Bartallex, Dridex, Donoff or some other downloader. These dropped files will download even more malware such as Upatre, Vawtrak, Chanitor or ZBot.

As the malware runs, an XMLHTTP object is created to exchange data with the server. It continuously sends a connection request to the server using HTTP Send() until it gets a response. Once the connection is established with the decrypted URL, the final payload is downloaded and saved in the specified path on the victim’s machine. Finally, the downloaded binary is executed using the Shell() command.

Attackers usually try to obfuscate macro code via functions ranging from character conversion to complex customized encryption. A huge amount of junk data may resolve itself to one URL in this way.

What Can Be Done?

Simple steps can be used to prevent becoming a victim — most notably not enabling macros. Make sure the default setting for macro security on all Microsoft Office products is set to high.

Iamwire recommended users configure anti-malware software to automatically scan all email and instant message attachments. Make sure email programs do not automatically open attachments or render graphics. Use great caution when opening these attachments, especially when those attachments carry the .doc or .xls extension.

Monitor for unexpected pings to IP addresses such as or, etc. from internal computers. This can be an indication of infection.

And as always, beware of spam-based phishing schemes. Don’t click on links in emails from mysterious senders, and ensure all security measures are enabled in your account.

Larry Loeb
Principal, PBC Enterprises

Larry Loeb has written for many of the last century's major "dead tree" computer magazines, having been, among other things, a consulting editor for BYTE mag...
read more