Fighting streaky macro threats: The saga continues

Diwakar Kumar Dinkar & Prajwala Rao K, McAfee Labs

Remember macro malware? In the 1990s, threats such as Melissa and WM.Concept enjoyed success until software developers, primarily Microsoft, took steps to reduce their effectiveness.

After languishing for years, macro malware made a come-back around mid-2014, since then it has constantly been leveraged to carry out malicious attack campaigns and more botnets are spreading through sending large numbers of phishing emails with macro malware.

An Office document file containing a malicious macro usually arrive as an email attachment and pretend to be an invoice, a delivery notice, a resume, anything that may seem harmless and can be used as a social engineering trick. Once the user runs such a file, the malicious macro code in the document will automatically run and execute the payload.

This paper will introduce the common attack methods of macro malware in detail. We will show how macro malware changes its phases in last four years and played hide and side with AV vendors. During the last four years McAfee Labs has observed a huge increase in macro malware.

In the first section, we will present some background information about macro malware and explain what pushes the malware author to use macros as the most commonly used type of malware in the first stage of attack?

Next, we will talk about evolution of macro malware and look at advance level of obfuscation, anti-sandboxing techniques. The early macro malware were all single VBA scripts, while in recent years we have seen a new trend of VBA mixed with PowerShell. Further we will discuss, how macro malware changes its infection methodology with time by using DDE, Password protected document, hiding in text box, using MaxMind to achieve infection goal. Recently, it used IQY Files to evade AV detection and downloads malware via excel.

This paper also reveals some unique finding about Emotet spam campaign by exposing its unique obfuscation pattern in the macro.

In the final part of the presentation we will discuss possible detection methods to fight this streaky macro threat including static, heuristic, machine learning and anomalies-based detection.

Diwakar Kumar Dinkar

Diwakar is a security researcher in McAfee Labs, India, since 2014. He is a part of Threat intelligence team which focuses on cybercrime analysis and attack correlation. His work currently targets non-executable Windows malware. He finished his Master’s degree in 2012. At the moment he’s also a PhD student researching the field of IOT threats. Having over 5 years of security industry experience, Diwakar regularly contributes his research through blogs and whitepapers. He is the author of the McAfee-published white papers “The return of macro malware”, “Adwind Java-based malware”, “Hiding in plain sight: The concealed threat of steganography” and “The rise of script-based malware”. Diwakar’s personal interests include reading (politics and mathematics), sport and teaching.

Prajwala Rao K

Prajwala is presently working as a Senior Security Researcher with McAfee Labs and is been with McAfee for 9+ years . Currently she is part of Threat intelligence team which primarily focuses on proactive threat mitigation and leads various projects in McAfee labs . In the recent years she has extensively worked on JavaScript Malware and has made her contribution through blogs, Whitepaper, Feature engineering. Prajwala has around 11 years of experience in Security industry . She is an enthusiast in Sports, Painting, Music and of course is an avid presenter.

The Dynamic Security Ecosystem
Other Topics