Macro-based attacks were popular in the early 2000s, but they gained much notoriety with the much publicized coverage of the Melissa virus. However, macro-based attacks soon began to drop off the radar. One major reason for this would be the security measures implemented by Microsoft to address malicious macro files. Another probable reason would also be that cybercriminals simply moved on.
However, it seems like macro-based attacks are making their way into the threat landscape yet again. We recently encountered attacks that use macro-enabled files to deliver threats to users.
Macro-enabled Files Carry ZBOT
TSPY_ZBOT.DOCM arrives via an email attachment, which is detected as W97M_SHELLHIDE.A. This email is disguised as a notification from a law society about “possible fraudulent activity” involving the recipient.
Figure 1. Sample spammed message
If they open the document, it contains the following message, “This sample [redacted] message requires Macros in order to be viewed. Please enable Macros to be able to see this sample.” Aside from this set of instructions, the document appears to be blank. Analysis shows that the blank document actually contains the malware embedded and hidden in white font. The malware is first written in ASCII-hex form.
Enabling the macro feature runs the script that drops the malware. The macro script converts the ASCII-hex form to its traditional binary. The malware can then run in the infected system, stealing information from the user’s machine.
Figure 2. The document appears blank but the malware is actually hidden using white font
Macro File Leads to Backdoor
Another malicious macro-enabled (.DOC) file was found as an attachment of an email related to payment remittance. Like the other file, the document appears blank save for a message instructing the user to enable macros. Once enabled, the attachment—detected as W97M_SHELLHIDE.B—connects to the Internet to download and execute BKDR_NEUREVT.DCM.
Using .DOCM files as an effective attack vector
These attacks show that old techniques can still be as effective as newer ones. These might require users to enable macros in order to succeed, but this is addressed by social engineering. The email messages are meant to convey a sense of urgency and importance. While there are other applications that employ macros, cybercriminals may have used Microsoft Word files as Microsoft Office is still the most-widely used productivity software suite.
The use of .DOCM files is interesting as they are uncommon infection vectors, given that they are relatively new; Microsoft introduced this file extension with Office 2007, which is also when the current .DOCX format was introduced. Users who are accustomed to looking out for possibly malicious .PDF or .DOC files may be unfamiliar with this file type.
Users must always exercise caution when opening email attachments, even those from familiar or known senders. If you receive a .DOCM file from someone you don’t know, the safest thing to do is not open it. Since the easiest way to open a .DOCM file is to double-click it, malicious .DOCM files loaded with malware such as ZBOT can easily run as well.
File extensions shouldn’t be used as the sole indicator of safety. File type extensions and icons can be easily spoofed. Additionally, Microsoft Office can read and open files even if the extension has been changed. For macro-based attacks, it’s still best to make sure to enable the macro security features in Office applications.
With additional analysis by Mark Manahan.