Cybercriminals Disable Macro Warnings to Execute Attacks

A large portion of the business world uses Microsoft Office programs, and some of them use macros. Hackers have recently devised a method of bypassing security warnings when a macro-laced file is opened and are delivering malicious files to victims.

The Problem

Typically, bad actors infect a Microsoft Office file (Word or Excel) with malware and use phishing techniques to send to victims. They hope that users will enable macros even with the security prompt, which will then execute their malicious code. However, recently cybercriminals have found a way to disable the security warning and enable the macros as a default. 

According to The Hacker News, McAfee discovered the technique last week as hackers continue to ‘evolve their techniques to evade detection, researchers from McAfee Labs stumbled upon a novel tactic that “downloads and executes malicious DLLs (ZLoader) without any malicious code present in the initial spammed attachment macro.”’

The report showed that ZLoader infections had been found in the U.S., Canada, Spain, Japan, and Malaysia. A popular banking trojan (ZeuS) is one such tool used by hackers that is 

“well known for aggressively using macro-enabled Office documents as an initial attack vector to steal credentials and personally identifiable information from users of targeted financial institutions.”

How Does it Work?

The details revealed that the ruse starts with a phishing email sent to victims. The email contains a Microsoft Word document attached. When the document is opened, it downloads a password-protected Excel document from the hacker’s remote server. Although the Excel file does not require the macros, the initial file (Word document) needs to have macros enabled before it will download the infected file. 

The Hacker News reported that 

“After downloading the XLS file, the Word VBA reads the cell contents from XLS and creates a new macro for the same XLS file and writes the cell contents to XLS VBA macros as functions,” the researchers said. “Once the macros are written and ready, the Word document sets the policy in the registry to ‘Disable Excel Macro Warning’ and invokes the malicious macro function from the Excel file. The Excel file now downloads the ZLoader payload. The ZLoader payload is then executed using rundll32.exe.”

Fortunately, macros are disabled by default. However, the techniques used by these hackers are sophisticated, and they operate using social engineering to trick victims into enabling the macros. Since the first file is free of any malware, it builds trust, and then the deception begins. The clever tactic of turning off the macro warning gives the user a false sense of security, so they are not expecting anything to execute. 

The Hacker News explains that ‘Malicious documents have been an entry point for most malware families, and these attacks have been evolving their infection techniques and obfuscation, not just limiting to direct downloads of payload from VBA, but creating agents dynamically to download payloads,” the researchers said. “Usage of such agents in the infection chain is not only limited to Word or Excel, but further threats may use other living off the land tools to download its payloads.”’

What is MS Office?

Microsoft Office is a suite of software programs used by millions of businesses across the globe. It is probably the most used software anywhere, with the only exception being Google apps. The suite includes things like Word (word processing program), Excel (spreadsheet program), PowerPoint (presentation software), Access (database software), and others.

How MS Office Users Can Stay Safe

By dissecting this attack, it is evident in a few areas where users can avoid infections. The first and most important is never, ever click links or download files from an email unless you are 100% sure you know where it came from. Some other tips would be:

• Never enable macros in a file from an untrusted source.

• Keep antivirus software running on all devices.

• Educate yourself on phishing emails and social engineering tactics to avoid getting caught.

• Always verify the sender of the email before taking any action.

• Update all MS Office files with the latest security patches.