New reports indicate that macro viruses and macro-based malware may be a rising enterprise threat, and antimalware software may be of little help.
Daniel Wesemann, incident handler for Bethesda, Md.-based SANS Institute's Internet Storm Center, noted that a recent Dridex malware strain and Vawtrak malspam family each used macro viruses in Microsoft Office files to download malware aimed at stealing banking information.
This is not the first time that Dridex has been found to use macros in Excel files to install malware. Security vendor Trend Micro Inc. also reported finding the banking Trojan Dridex in Word files in November 2014. The file will ask users to enable macros, then it will download the Dridex malware, which targets banks like Bank of Scotland, Lloyds Bank, Barclays and Santander, and steals banking information through screenshots and website injections.
This is the first time Vawtrak has been found as a macro virus. Vawtrak was first found by the Japanese National Police Agency in August 2013 as malware injected through the Angler Exploit Kit, which caused more than 1.4 billion yen in unauthorized transactions in Japan between January and May 2014. Trend Micro said it has since been used to target banks like Bank of America, Barclays, Citibank, HSBC, Lloyd's Bank and J.P. Morgan.
Recently, Wesmann found Vawtrak has been sent to victims as part of spam emails intended to look like FedEx package delivery and tax refund messages, and Trend Micro also found it in fake American Airlines emails. Wesmann said that the message would ask users to enable macros, and once accomplished, a batch file, .VBS script and PowerShell script would be downloaded to infect the system.
Macro viruses haven't been popular since the early 2000s, when the infamous Melissa virus and Love Bug virus ravaged the Internet. Wesemann said that attacks like this may be rising in popularity because file extension-based blocking on an email or Web gateway are often set only to target executable (.EXE) script files (.SCR), or ZIPs containing those file types. Macro infections are found in Office files (e.g., .DOC and .XLSM), and blocking those file extensions would likely cause serious business disruptions. Additionally, Wesemann found that the Vawtraq macro downloaded a malware executable that was detected by only seven of 52 antivirus scanners listed in VirusTotal.
Trend Micro noted that the best practice for mitigating these types of infections is for IT administrators to enforce macro security measures in Office applications via Group Policy settings, as well as to advise employees to ignore finance-related emails until they can be determined to be safe.
Learn how the epic Love Bug macro virus once ravaged enterprises.
Learn about ways to prevent online banking fraud.