Social engineering tricks open the door to macro-malware attacks

Social engineering tricks open the door to macro-malware attacks - how can we close it?

 

The macro malware-laden documents that target email users through email spam are intentionally crafted to pique any person's curiosity.  With subjects that include sales invoices, federal tax payments, courier notifications, resumes, and donation confirmations, users can be easily tricked to read the email and open the attachment without thinking twice.

The user opens the document, enables the macro, thinking that the document needs it to function properly – unknowingly enabling the macro malware to run.

Just when you think macro malware is a thing of the past, over the past few months, we have seen an increasing macro downloader trend that affects nearly 501,240 unique machines worldwide.

 Figure 1: Increasing trend of macro downloaders from April 2014 to 2015

We have seen majority of the macro-malware attacks in the United States and United Kingdom.

Figure 2: Macro downloaders’ prevalence in affected countries

 

Figure 3: Macro malware distribution heat map

Macro malware infection chain

As stated in the previous macro blog, macro downloaders serve as the gateway for other nasty malware to get in. The following diagram shows how a typical macro downloader gets into the system and deliver its payload.

Figure 4: Macro downloader infection chain

The macro malware gets into your PC as a spam email attachment. The spam email recipient then falls for a social engineering technique, opens the attachment, thereby enabling the macro inside the document.

We have identified some of these macro downloader threats, but not limited to:

• Adnel
• Bartallex
• Donoff
• Jeraps
• Ledod

When a malicious macro code runs, it either downloads its final payload, or it downloads another payload courier in the form of a binary downloader.

We have observed the following final payload, but is not limited to:

• TrojanSpy:MSIL/Golroted

We have also observed the following binary downloaders to be related to these macros, but not limited to:

• TrojanDownloader:Win32/Drixed
• TrojanDownloader:Win32/Chanitor

After the macro malware is downloaded, the job is pretty much done. The torch is passed to either the final payload or the binary downloader.

We have observed the following threats being downloaded by the binary downloaders, but not limited to:

• Backdoor:Win32/Drixed
• Backdoor:Win32/Vawtrak

 

Prevention: How do you close that door?

If you know that social engineering tricks through spam emails open the door to macro malware attacks, what can you do to help protect your enterprise software security infrastructure in closing that door?

Be careful on enabling macros

Macro threats, as payload couriers, seem to gain popularity as an effective infection vector. But unlike exploit kits, these macro threats require user consent to run. To avoid running into trouble because of these macro threats, see Before you enable those macros, for details on prevention.

You can also read more about the macro configuration options to understand the scenarios when you can enable or disable them. See Microsoft Project - how to control Macro Settings using registry keys for details.

Aside from that, be aware of the dangers in opening suspicious emails. That includes not opening email attachments or links from untrusted sources.

If you are an enterprise software security administrator, what can you do?

Most, if not all of the macro malware received are in .doc file format (D0 CF) which are seen in Microsoft Office 2007 and older versions.

If you are in charge of looking after your enterprise software security infrastructure, you can:

• Update your Microsoft security software. Microsoft detects this threat and encourages everyone to always run on the latest software version for protection.
• Ensure that your Trust Center settings are configured not to load older Office versions:

1. Go to Word Options, and select Trust Center. Click Trust Center Settings.

   

                                                               
2. In the Trust Center dialog box, select File Block Settings. Then, select the Word versions that you need to block. 

 

Doing so blocks older Office versions from opening.

• Follow the appropriate Exchange Online Protection instructions to suite your business needs.
• Learn some insights on how Office 365 can help you block spams using machine learning. See First look at Advanced Threat Protection: new tools to stop unknown malware & phishing attacks for details.
• Submit spam and non-spam messages to Microsoft for analysis.
• Enable the Microsoft Active Protection Service (MAPS). Customers using MAPS can take advantage ofMicrosoft's cloud protection and are protected with the latest threat variants. MAPS is enabled by default for Microsoft Security Essentials and Windows Defender for Windows 8.1.

You can check if MAPS feature is enabled in your Microsoft security product by selecting theSettings tab and then MAPS.

MMPC