Malicious Virtual Basic for Applications (VBA) macros are back, this time using social engineering to trick users into opening infected attachments, says Sophos. It’s the persistent challenge of IT security: As you grow ever more sophisticated in your defenses, so do the bad guys in their attack techniques.
Sometimes, though, criminals realize the simpler, older methods — much older, in this case — will do just fine. That explains why the macro virus, scourge of ’90s-era PCs, is making something of a comeback, according to SophosLabs security researcher Gabor Szappanos.
“In the past couple of months, we have observed the resurgence of malicious VBA macros — this time, not self-replicating viruses, but simpler downloader trojan codes,” Szappanos wrote in a recent whitepaper, titled “VBA Is Not Dead!” The delivered malware has included Zeus variants, a dotNET injector, and malicious RATs.
VBA macros were extinct in recent years, thanks largely to security improvements in their chief target: Microsoft Office applications, particularly Word and Excel. A key change, beginning with Office 2007, was that macros were disabled as a default setting, which naturally made it more difficult for malicious code to run in the first place. Now they’re getting a second wind as a malware delivery mechanism. SophosLabs has identified 75 new strains of malicious macros since the start of 2014, when it first detected the once-dead technique in the wild. Although the new VBA code is technically cross-application and could affect Excel, too, SophosLabs has only seen it distributed in Word documents to date.
In the surest sign that simplicity sometimes wins over sophistication, Szappanos pointed out that the reborn macros rely on the eternal threat vector: humans. Because macros are disabled by default in all recent versions of Word and Excel, malware makers need a little help from Joe and Jane User to dump their payload on the host machine.
“Malware authors were prepared for this obstacle, and overcame it by deploying simple social engineering tricks,” Szappanos said. “They prepared the content of the documents in such a way that it would lure the recipient into enabling the execution of macros, and thus open the door for infection.”
The malicious macros, like so much malware, are most commonly delivered via email and the web. The problem, Sophos senior security advisor Paul Ducklin said in an interview, is that even savvy users have grown accustomed to receiving all manner of legitimate links and attachments: statements, invoices, travel itineraries, price quotes, and so forth. So even though people have become smarter about, say, running executable files sent to them by complete strangers, our busy brains are sometimes still too trusting when it comes to email and web links.
“The reason that documents work well for the crooks for delivering malware in email is that it’s easy for them to come up with a reason why you should open the attachment, which is sitting there, just waiting to be viewed,” Ducklin said in an email interview. “The email might tell you, ‘Attached please find your electricity bill,’ but you won’t know how much it is, or whether they correctly processed last month’s payment, unless you open the attachment. So you do. And most of the time, you’re OK.”
Among the tools of deceit: the appearance of “secure” or confidential content that requires enabled macros to view. Another approach is minimalist, displaying just enough of a message to reel in the inquisitive, if a tad gullible, mind. Szappanos noted that regardless of the approach, the malware-in-waiting always includes “helpful” instructions for enabling macros. No matter the means of enticement, following those instructions arrives at the same end: malicious VBA code that runs the next time the document is opened.
“A few of the samples we encountered were rather esoteric and vague, building upon the possibility that the receiver of the document will be as clueless about the point of the message as I was while reading it, and enable the macros purely through curiosity,” Szappanos wrote.
Word documents make especially good disguises for attackers because we’re no longer used to thinking of them as such. Someone in their 20s, for instance, might have no idea what a Word macro is, much less a malicious one. Even older computer users have likely forgotten about the once-common virus type. (Remember the wazzu virus? Fun times.)
“DOC and DOCX files are supposed to be just what their name suggests: documents,” Ducklin said. “They’re supposed to be data that a human can read, not a program that a computer can execute, and Microsoft’s wise decision to force macros off by default is a reflection of that fact.”
Unfortunately, although malicious macros might be a blast from the security past, the core tactic is both current and persistent: Duping unsuspecting users into clicking, keying, and downloading their way into victimhood.
“[The return of VBA macros] emphasizes the fact that there is no need for fancy exploitation,” Szappanos wrote. “When the aim is to infect a large number of users, good old social engineering never fails to deliver the results.”
As with phishing attacks, social media scams, and other online perils that prey upon human judgment, the best defenses are common sense and reasonable skepticism, backstopped by up-to-date security software.
“Don’t play into the hands of the crooks by turning the security clock back to 1999 and turning macros on just because they say so,” Ducklin said. “Better yet, don’t open documents you weren’t expecting from sources you’ve never met in the first place. Ask yourself why someone who wants to open a conversation with you couldn’t just do so in a plain old email.”