Macros, which are a set of commands or codes intended to automate specific functions, are not dangerous in and of themselves. Many organizations actually rely on them to save hours on repetitive tasks that can be more efficiently executed by recording them and automatically running them. They're most often used in software such as Microsoft Excel or Word.
Despite their time-saving potential, macros also come with a security setback. Technically anyone could write a macro to automate any number of tasks, one of which is to run malicious software on someone's computer.
Of course, this means that the user would actually have to download and open a file that contained a macro. However, considering that research by Radicati estimates that there will be a total of 123.9 billion business-related emails sent and received every day in 2016, the idea of someone falling for a phishing scam and running a malicious macro are actually pretty high.
Making a comeback
While thought to have gone the way of the dinosaur in the early 2000s, according to Trend Micro, it appears that cyber attackers are once again leveraging macros for evil. In early 2015, Microsoft first reported on an escalation in macro-based cyber threats. Some of the more prominent threats at the time ran forms of malware such as DRIDEX, ROVNIX and VAWTRAK, and they targeted financial organizations most heavily, according to Trend Micro. Online banking customers have also been hit by macro malware. In these cases, the malware is sent via email by hackers posing as bank employees.
In March 2015, researchers also began tracking BARTALEX. Trend Micro took a look at one of the ways hackers have tried to trick users into running the macro. In the example provided, a message that appears to be an order confirmation from Air Canada states that the ticket information can be found in an attached document. Upon downloading the file, the user will be prompted to enable macros. Once this is done, the automated task will execute, which in this case is the downloading and installation of malware.
More recently, Trend Micro discussed another macro-based malware trend that is plaguing parts of Europe. Per the norm, the macro is stored in a Microsoft Word or Excel documents and attached to an email. In this case, the message will claim that the attached file is for a remittance and invoice notification. If the user downloads the file, and then enables macros – or allows has enabled them by default – a VBScript runs, and downloads DRIDEX malware.
The newest strain of macro malware is actually a type of crypto-ransomware called Locky that disguises itself as an invoice, and includes an attached Word document. Upon opening the file and enabling macros, the attack does what crypto-malware does best: it locks down your files. A ransom note then requests payment in Bitcoin for the decryption key. If an organization does not have a backup for their files, they may have no choice put to comply.
According to a Dark Reading article published late 2015, the key to a recent uptick in the number of macro-based malware schemes such as this is being driven by social engineering. This refers to the component of the scam that spams specific organizations in certain industries that may be more likely to fall for the ploy. This trend, which has steadily increased throughout 2015, will very likely continue to pose problems in 2016.
How can you avoid this cyber threat?
According to Trend Micro researchers, the best way to avoid being baited into a macro malware scam is to activate the macro security function on Microsoft Word and Excel, and to be extremely cautious about enabling macros. If there is any doubt about the authenticity of an email urging you to download a Word or Excel document, it's better to be safe than sorry, and forward the contents to a member of the IT staff.
Likewise, if at any point you are asked to enable macros, double check the source of the document. Even if it was sent from a trusted source, it's possible that they mistakenly downloaded the file and shared it in an email, believing it to be of importance to other personnel in the office. Keen vigilance when checking emails and opening file attachments can help you identify and block macro malware cyber threats.
Last but not least, organizations are encouraged to take a multi-layered approach to cybersecurity. No one form of cybersecurity can filter out every single cyber threat – there are simply too many and they are too diverse in nature. But with a modern solution that combines the strength of anti-malware, anti-spam, vulnerability exploit protection and Web reputation services, macro malware will be one less cyber threat to worry about.
