A fresh burst of social engineering activity is luring the unwitting to turn on macros in Microsoft Office, thus paving the way for malicious macro downloaders to infect consumers and business users alike. The Dridex trojan has become the most recent threat to take on this tactic.
The Microsoft Malware Protection Center (MMPC) recently warned that it has seen an increasing number of threats using macros to spread their malicious code, especially via downloaders like Adnel and Tarbir, which are predominantly targeting customers in the US and UK. Similar to other malware that spreads through malicious binary email attachments (like Upatre), macro malware samples serve as an infection gateway. Once the gate is opened, in this case by opening the email attachment with macros enabled, whatever is on the other side of the gate (including the Drixed.B malware), will enter and infect the system.
The spam emails that are spreading the most recent threats use a variety of legitimate-sounding money-related subject lines, including “ACH Transaction Report,” “Invoice as requested,” “Order - Y24383”and “Payment Details.”
“These names are...designed to look like legitimate payment files and use social engineering to convince recipients to open them,” said Alden Pornasdoro from the MMPC, in the advisory. “Upon opening the Microsoft Office file (in this case a Word document), a user will be prompted to enable macros.”
The combination of the instructional document, spam email with supposed monetary content, and a seemingly relevant file name, can be enough to convince an unsuspecting user to click the Enable Content button. The malware authors then provide step-by-step instructions to trick the user into enabling the untrusted macros. And when they do, the macro executes and downloads its payload, which is to download other malware.
The default blocking of untrusted macros is a lock on the gate, explained Pornasdoro. “And the key to open the lock is user consent.”
Dridex is a standard-issue banking trojan, which steals credentials and other data. It’s the payload for a new macros-focused spam campaign that is sending 15,000 mails per day to targets in the UK and the US, according to Trustwave Security.
Macros are disabled by default in Office. And before enabling them, users should remember that a file that contains a receipt or billing statement most of the time does not need to have macros in it. And if there is reason to require a macro, be cautious of unsigned macros, especially ones from an untrusted source.
Furthermore, “some macro malware leave the document intentionally empty, relying on the user to think that they need to enable the macro so that they can see something,” says Pornasdoro. "Beware of such tricks.”