Document Macro Malware on the Rebound
Fifteen years after the first Microsoft Word macro viruses attacked the Internet, the technique is still proving successful at exploiting users.In 1999 and 2000, Microsoft macro viruses such as Melissa and ILOVEYOU wreaked havoc on the Internet. In 2007, new features in Microsoft Word brought the macro virus to the edge of extinction. Now in 2014, macro-based malware is making somewhat of a comeback, once again proving to be a successful tool for attackers to exploit users. Security vendor Sophos is among the vendors that are seeing a recent uptick in macro malware, reporting that it has seen 75 new variants of Word macro malware since January. And in a detailed analysis of a phishing campaign identified as "String of Paerls," Cisco details how a Visual Basic for Applications (VBA) macro in Microsoft Word is also a root cause. Macro malware is typically delivered in the form of a malicious email attachment. "I looked at our Senderbase data, and we are seeing a clear increase in malicious email attachments," Craig Williams, technical leader with Cisco Threat Research, Analysis, and Communications (TRAC), told eWEEK. "In the last 18 months, we saw an average daily volume of 0.0142 billion malicious attachments. If we shrink the window to the last six months, this average daily volume increases to 0.0243 billion samples." The Sophos report notes that all versions of Microsoft Office since 2007 have blocked the execution of VBA macros by default. Users are required to explicitly allow a macro before it can run. What has happened in recent months is that attackers are increasingly using social engineering techniques to trick users into allowing macros to run. Sophos noted in its report that one technique that attackers use is to have content marked as confidential and the user is encouraged to enable macros in order to view it.
In the Cisco String of Paerls report, the attackers also leveraged some interesting tactics. The unique feature of this attack is that it was a targeted spearphishing campaign combined with a very obfuscated binary, Williams said.