Fighting streaky macro threats: The saga continues

Diwakar Kumar Dinkar & Prajwala Rao K, McAfee Labs

Remember macro malware? In the 1990s, threats such as Melissa and WM.Concept enjoyed success until software developers, primarily Microsoft, took steps to reduce their effectiveness.

After languishing for years, macro malware made a come-back around mid-2014, since then it has constantly been leveraged to carry out malicious attack campaigns and more botnets are spreading through sending large numbers of phishing emails with macro malware.

An Office document file containing a malicious macro usually arrive as an email attachment and pretend to be an invoice, a delivery notice, a resume, anything that may seem harmless and can be used as a social engineering trick. Once the user runs such a file, the malicious macro code in the document will automatically run and execute the payload.

This paper will introduce the common attack methods of macro malware in detail. We will show how macro malware changes its phases in last four years and played hide and side with AV vendors. During the last four years McAfee Labs has observed a huge increase in macro malware.

In the first section, we will present some background information about macro malware and explain what pushes the malware author to use macros as the most commonly used type of malware in the first stage of attack?

Next, we will talk about evolution of macro malware and look at advance level of obfuscation, anti-sandboxing techniques. The early macro malware were all single VBA scripts, while in recent years we have seen a new trend of VBA mixed with PowerShell. Further we will discuss, how macro malware changes its infection methodology with time by using DDE, Password protected document, hiding in text box, using MaxMind to achieve infection goal. Recently, it used IQY Files to evade AV detection and downloads malware via excel.

This paper also reveals some unique finding about Emotet spam campaign by exposing its unique obfuscation pattern in the macro.

In the final part of the presentation we will discuss possible detection methods to fight this streaky macro threat including static, heuristic, machine learning and anomalies-based detection.

Diwakar Kumar Dinkar

Prajwala Rao K

The Dynamic Security Ecosystem
Other Topics