Macro malware has made a comeback with the advent of sophisticated social engineering tactics and the popularity of macro programs. For cyber criminals, Microsoft Office macros in particular are an attractive target due to the enormous MS Office user base.
Macro malware often uses Visual Basic for Applications (VBA) programming in Microsoft Office macros to spread viruses, worms, and other forms of malware, posing a significant risk to corporate security.
How macro malware works
A macro (short for “macroinstruction”, literally “large command” from the Greek macro: “large”) is a chain of commands that instruct applications such as Excel and Word to perform certain actions. Macros bundle several smaller instructions in one command and run them together. This improves the functionality of the application by accelerating recurring processes.
Because macros are programs, like any other program, they can potentially be compromised by malware authors. Macro viruses are written in the same macro language that is used for software programs, including Microsoft Word or Excel. For a macro malware attack, cyber criminals often create malicious code and embed it in macros of documents that are distributed as attachments in phishing emails. Once the victim opens the attachment, the macros it contains can be run and the malware will start infecting any files opened with Microsoft Office. This ability to spread rapidly is one of the main risks posed by macro malware.
Macro malware protection best practices
Macro viruses can invoke harmful functions, such as changing the content of text documents or deleting files. The Emotet malware also often uses macros to gain access to the network. In the next step, it loads additional modules such as banking Trojans, password stealers or ransomware. Some macro viruses also access the victim's email accounts and send copies of the infected files to all contacts, who in turn often open those files because they come from a trusted source.
If macros are not executed in a Microsoft Office file, the malware cannot infect the device. The main challenge in avoiding macro malware infections is correctly identifying phishing emails. Be careful with the following points:
- Emails from unknown senders
- Emails with invoices or allegedly confidential information attached
- Documents that offer a preview before macros are activated
- Documents whose macro processes look suspicious
The best way to eliminate the macro malware threat is to reduce the interaction between malware and a device. Organizations should use a combination of the following techniques to strengthen their defenses against macro malware attacks.
Eliminate macro malware threat
1. Use of a spam / junk filter and phishing protection
The fewer phishing emails that reach the inbox, the lower the likelihood of a macro malware attack. In addition to the classic spam filter, there are special phishing protection technologies that can also detect sophisticated spear phishing attacks on the basis of machine learning. These solutions learn normal communication behavior within a company and sound the alarm in the event of anomalies.
2. Use a strong antivirus program
Antivirus software can send an alert message when a user tries to open a malicious link or download a suspicious file.
3. Attachments from unknown senders
If users do not know the sender of an email, they shouldn't open attachments, even if the email refers to personal information or claims it is an unpaid invoice.
4. Attachments in suspicious emails from known senders
By reversing the malicious file's code, security professionals can decode encrypted data stored by the sample, determine the logic of the file's domain, and view other capabilities of the file that were not revealed during the behavior analysis. To manually reverse the code, malware analysis tools such as debuggers and disassemblers are required.
5. Check before execution which processes a macro controls
If the macro command appears to be performing malicious actions, macros should not be enabled. Since many users are familiar with the term macro malware, but may not know how to identify it, companies should also provide their employees with regular training on how to recognize possible threats, especially in the area of social engineering. Increased user awareness of the dangers of macro viruses helps to significantly strengthen corporate security and to minimize successful macro malware attacks.
[starboxid=6]