Macro malware, that tried-and-true document-borne attack vector, is back. Over the past few months, Microsoft has seen an increasing macro downloader trend that affects nearly 501,240 unique machines worldwide.
The majority of the macro-malware attacks have taken place in the United States and United Kingdom.
Macro malware gets into your PC as a spam email attachment. The user opens the document, enables the macro, thinking that the document needs it to function properly—unknowingly enabling the macro malware to run.
Success of course requires the email recipient to fall for a social engineering technique and open the attachment.
“The macro malware-laden documents that target email users through email spam are intentionally crafted to pique any person's curiosity,” explained the Microsoft Malware Protection Center, in a blog. “With subjects that include sales invoices, federal tax payments, courier notifications, resumes and donation confirmations, users can be easily tricked to read the email and open the attachment without thinking twice.”
Essentially, macro downloaders serve as the gateway for other nasty malware to get in. “When a malicious macro code runs, it either downloads its final payload, or it downloads another payload courier in the form of a binary downloader,” Microsoft added. “After the macro malware is downloaded, the job is pretty much done. The torch is passed to either the final payload or the binary downloader.”
The threats downloaded in this latest wave of spam include Drixed and Vawtrak, among others. The latter is a banking Trojan (aka Neverquest), which recently resurfaced, with the ability to collect credentials and sensitive information from the clients of hundreds of banking and financial institutions. The latest version is able to capture videos and screenshots, and launch man-in-the-middle attacks.
If you know that social engineering tricks through spam emails open the door to macro malware attacks, what can you do to help protect your enterprise software security infrastructure in closing that door?
“Macro threats, as payload couriers, seem to gain popularity as an effective infection vector. But unlike exploit kits, these macro threats require user consent to run,” Microsoft noted.