Macro Malware: An Old Threat Returns to Deluge Enterprise Inboxes

by Bharat Mistry

The threat landscape moves so fast sometimes that if you blink you might miss it. It seems like only a few years ago we were worrying about how to keep spam off enterprise Exchange servers, and deflect mass mailer worms. Yet while it’s tempting for IT leaders to focus most of their efforts on the latest breaking trends in the information security world – specifically advanced persistent threats and targeted attacks today – there’s much more to the threat landscape than that.

We have noted a recent significant upsurge in macro malware. It’s an old technique but is threatening to cause a lot of new problems for UK organisations today.

What’s macro malware?
Macro attacks were big in the early 2000s. Similar to spear phishing seen as the first stage in a targeted attack, they usually arrive in the form of a malicious email attachment which the user is tricked into opening by social engineering techniques. Thus, the email is often spoofed so it appears to contain a sales invoice, wire transfer, received fax message or other content which might pique the victim’s curiosity. Unlike targeted attacks, where the hackers spend time crafting malware to exploit specific vulnerabilities or even zero day flaws, macro-based campaigns use more traditional malware.

After opening the document, the user is usually asked to enable macros on their machine in order to view it properly – and in so doing runs the macro malware. This in turn acts as a kind of gateway to download a final malicious payload.

How is it being used?
Trend Micro’s cloud based threat prevention system the Smart Protection Network has observed a sizeable uptick in macro-based attacks. Although we’ve seen macro malware beginning to appear again since last year, the volume really picked up in the first quarter of 2015. The most popular types spotted include W97M_MARKER, W2KM_DLOADR, W2KM_DOXMAL, W2KM_MONALIS and W2KM_BARTALEX.

An attack campaign using the latter recently featured a malicious Dropbox link in the spam email instead of an attachment. If the user enables macros as suggested by a fake pop-up they will end up running BARTALEX and that in turn will lead to a download of a variant of the DYRE banking malware. Other payloads spotted in recent campaigns include DRIDEX and VAWTRACK banking malware and backdoor/password stealer ROVNIX.

In the first quarter of this year we  spotted over one million macro malware detections targeted mainly at enterprise inboxes, and it’s still going strong. Microsoft has observed the same, noting in a recent blog post that over 500,000 machines have been infected thus far – mainly in the US and UK. What’s more, the majority of infections we observed (91%) came on computers running newer versions of Windows (Windows 7/Windows Server 2008 R2).

How to stop it
The rising number of global infections spotted thus far should be a timely reminder to IT managers that even older threats remain a risk to enterprise machines if not addressed properly. Obviously these malicious email threats require the user to enable macros in order to deliver their payload. So it’s increasingly important that IT leaders revisit enterprise security awareness and education programmes to ensure staff know what to look out for and how to deal safely with any unsolicited messages.

Security teams should also think about:

  • Turning off Windows Scripting Host on user systems if it serves no major purpose, and reducing your attack surface by disabling any other applications/services that aren’t needed
  • Revisiting and re-evaluating existing security policies
  • Ensuring all current anti-malware tools are up to date


Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.