This content is part of the Essential Guide: A guide to using Excel as financial accounting software
News Stay informed about the latest enterprise technology news and product updates.

Macro viruses reemerge in Word, Excel files

Macro viruses haven't been popular since the early 2000s, but recent malware discoveries indicate that macro-infected Word and Excel files are on the rise.

New reports indicate that macro viruses and macro-based malware may be a rising enterprise threat, and antimalware software may be of little help.

Daniel Wesemann, incident handler for Bethesda, Md.-based SANS Institute's Internet Storm Center, noted that a recent Dridex malware strain and Vawtrak malspam family each used macro viruses in Microsoft Office files to download malware aimed at stealing banking information.

This is not the first time that Dridex has been found to use macros in Excel files to install malware. Security vendor Trend Micro Inc. also reported finding the banking Trojan Dridex in Word files in November 2014. The file will ask users to enable macros, then it will download the Dridex malware, which targets banks like Bank of Scotland, Lloyds Bank, Barclays and Santander, and steals banking information through screenshots and website injections.

This is the first time Vawtrak has been found as a macro virus. Vawtrak was first found by the Japanese National Police Agency in August 2013 as malware injected through the Angler Exploit Kit, which caused more than 1.4 billion yen in unauthorized transactions in Japan between January and May 2014. Trend Micro said it has since been used to target banks like Bank of America, Barclays, Citibank, HSBC, Lloyd's Bank and J.P. Morgan.

Recently, Wesmann found Vawtrak has been sent to victims as part of spam emails intended to look like FedEx package delivery and tax refund messages, and Trend Micro also found it in fake American Airlines emails. Wesmann said that the message would ask users to enable macros, and once accomplished, a batch file, .VBS script and PowerShell script would be downloaded to infect the system.

Macro viruses haven't been popular since the early 2000s, when the infamous Melissa virus and Love Bug virus ravaged the Internet. Wesemann said that attacks like this may be rising in popularity because file extension-based blocking on an email or Web gateway are often set only to target executable (.EXE) script files (.SCR), or ZIPs containing those file types. Macro infections are found in Office files (e.g., .DOC and .XLSM), and blocking those file extensions would likely cause serious business disruptions. Additionally, Wesemann found that the Vawtraq macro downloaded a malware executable that was detected by only seven of 52 antivirus scanners listed in VirusTotal.

Trend Micro noted that the best practice for mitigating these types of infections is for IT administrators to enforce macro security measures in Office applications via Group Policy settings, as well as to advise employees to ignore finance-related emails until they can be determined to be safe.

Next Steps

Learn how the epic Love Bug macro virus once ravaged enterprises.

Learn about ways to prevent online banking fraud.

Dig Deeper on Email and Messaging Threats-Information Security Threats

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

Does your company have macro security enforced in Microsoft Office?
MSFT Office is the most scary thing ever. It's too big, too vulnerable and is relied on by too many people. The solution to this is not to enable macro virus protection, but to use a different solution. I use lots of other writing programs and then export as Word .docs. Same with my spreadsheet software. If MSFT is a danger, then don't use it until it's fixed. I wish more people would use common sense in this area instead of being lazy and just using it because of service contracts and sloth.
Nt really for this reason, but our Company moved to Google some time ago (a year o so already), DO nto think that we were affected for these kind of viruses on Excel Macros. But Google has helped out alot in avoiding this risks. On the other hand, sharing/posting PII information is quite a problem now. So, what are the priorities? What threat is more important? Agree with Jeff, MSFT is scary... :)
The re-emerging of macro viruses has necessitated the turn of the organization looks into file extension blocking not only based on executable files, script files or XIPS but also on emails, Web gateways and Office files. This is expected to bring a lot disruption but the organization would rather have that than its systems shut down with a cyber-attack macro security measures are being enforced through Group Policy settings protecting from unsafe emails.
We do not have macro security enforced. Who knows how many people might be using Excel macros to accomplish little tasks - I know of one department that frequently uses them to generate database reports. They didn't write the macros themselves; there was a DBA who has since left the company who wrote and maintained them. I don't think that too many others knew of their existence, until one day some changes broke the reports. Our group was then asked to fix them. I never thought to question the security of using macros for reporting, but it would probably freak out or security guy if he knew.
As if they were ever going away. MSFT software is notoriously unstable and easily breached. So many people use it that it's a great target for hackers. If you want to truly be safe, use something else.
Clearly a new generations of hackers and those with malicious intent are using the same training wheels as the previous generation.
As more people work on mobile, I wonder if this issue will go away?  I was one of those who fell pray to the first wave of malware, but these days, I share content through PDFs and the web much more often than fifteen years ago. Unfortunately, if this resurgence sticks, it will likely target less savvy users opening attachments and clicking links in email and social media from people they don't know.