*This blog entry was originally published on January 4, 2016 on the original Polito Blog. It was re-posted on October 3, 2017 due to migrating to a new blog platform.
Malicious Code in Application Supported Formats
Macro Malware: Introduced back in the 1990’s, macro malware has been practically extinct until a recent resurgence. Malware authors are revisiting macro malware because of its sheer simplicity not only in coding it, but also in how it is distributed – the most popular way being phishing emails.
Macro malware targets Microsoft Office applications (Word, Excel, etc.). Malicious VBA macros are used to infect anyone who opens the file, mostly with Trojan downloaders. Any application that supports the uploading/downloading of Microsoft Office documents is at risk.
What is VBA?
VBA is Visual Basic for Applications, a macro programming environment of the Microsoft Office Suite. It is the modern version of the BASIC programming language. It is typically used to set up macros for specific document formats that are commonly used to format text in documents. Essentially a macro is just a shortcut to a task you would otherwise have to do repeatedly.
Starting in Office 2007, Microsoft Office has VBA macros disabled by default. This is good for security, yet macro malware is still alive and well because malware authors are using social engineering to trick users into enabling macros in malicious documents. Some enterprises also re-enable macros because their document workflows require them to run unimpeded.
The problem lies in how simple it is to code this "macro malware". It is no longer necessary to learn VBA as there are ready-made VBA malware templates all over the internet, which streamlines the creation of malicious documents. There are hundreds of new malware variants based on these templates since early 2015.
Figure 1. Chart covers some of the common macro malware found in Q1 of 2015. Image from: trendmicro.com
Macro malware decreased in prevalence after Microsoft patched their Office Suite, and began warning users about macros included in the files they received. This functionality was implemented in Office 2007 and has been effective at preventing a significant amount of macro malware. However, a resurgence began in late 2014, when researchers at CYREN observed an outbreak of over 3.02 billion emails containing new macro malware. Subsequent outbreaks in December consisted of as many as 1.2 billion emails a day. The chart above only shows a small number of the newly formed macro malware in quarter one of 2015, but it gives a picture of recent macro malware growth.
VBA malware is hardly ever self-contained, but instead acts as a "downloader". The VBA will connect to the internet, specifically to a server that hosts a malicious .EXE, download the malicious executable and run it, all without a single prompt for a user decision.
Now, the attackers have an executable with full malicious capabilities that will keep running in the background not only after you exit the Word document, but potentially even when their victims log out and reboot. This attack vector is becoming increasingly difficult to detect as newer VBA malware code has been seen making calls to lesser known system functions. These calls frequently turn out to be longer time-wasting loops in an attempt to avoid detection. This is achieved by slowing down the malware execution time making it hard for antivirus to detect it as malicious. Most AV's have a time period of scanning per file scanned so the AV will usually drop a file if it is taking too long to scan.
Obfuscation
Malware authors know that VBA is blocked within Microsoft Office by default, and overcome this obstacle by deploying social engineering tricks. They prepare the content of the documents in such a way that it would lure the recipient into enabling the execution of macros, and thus open the door for infection.
VBA can be implemented that will actually blur out the entire contents of the document until the user enables macros, which in turn will execute the embedded macro virus.
Figure 2. An example of simple social engineering used by VBA malware authors. Photo: https://www.virusbtn.com/blog/2014/11_07.xml
The user is left with no other option but to "enable macros" to view the document. A company that uploads and downloads documents or a user that unknowingly opens a file received from the all too common phishing emails becomes at risk for these types of attacks. More information on obfuscation techniques used by VBA malware authors will be covered in part two of this series.
Macro Automation
Microsoft Office programs provide several ways a programmer could automatically execute macros when a specific event occurs. Some of them are tied to menu commands, while the automacros are connected to global application events. If the document contains macro procedures that are using one of the predefined, special names, these procedures are called by the Office application when the specific event occurs. The simple macro shown below is activated every time the document is opened using the Workbook_Open() command. The “malicious” code will actually force quit Microsoft Excel 30% of the time it is opened – annoying and frustrating after a while, but not really malicious. However, the ability to execute macro code when a document is opened presents several possible attack vectors for malware writers.
Figure 3. Photo shows how simple malicious VBA code can be. Photo courtesy of the author.
In Microsoft Word, these events are tied to starting the Word application (the event could be captured with a macro procedure named AutoExec), exiting Word (AutoExit), opening a document (AutoOpen), closing a document (AutoClose), or creating a new document (AutoNew).
Microsoft Excel has a wider selection of automatic macros, but includes similar functions, such as starting Excel (Auto_Open), exiting Excel (Auto_Close), opening a workbook (Workbook_Open), and closing a workbook (Workbook_Close). The structure of the Trojan’s macro code ensures that the code is executed whenever the document is opened. Even though the code itself is not cross-application, Workbook_Open and Auto_Open could make it work in Excel.
Most VBA malware calls the UrlDownloadToFile Windows API function to download the final payload from a hard-coded URL. The file is then saved either to the %TEMP% folder or the %APPDATA% folder, and executed it using the ShellExecute function. The dropped executable was usually registered for automatic execution during system start-up in one of the registry autorun locations, such as HKCU\Software\Microsoft\Windows\CurrentVersion\Run.
In Part 2 of this series I will break down a piece of macro malware and cover more of the obfuscation techniques used by malware authors today.
Polito, Inc. offers a wide range of security consulting services including penetration testing, vulnerability assessments, incident response, digital forensics, and more. If your business or your clients have any cyber security needs, contact our experts and experience what Masterful Cyber Security is all about.
E-mail: info@politoinc.com
Phone: 571-969-7039
Website: politoinc.com
References:
Ducklin, Paul. "Why Word Malware Is BASIC: SophosLabs Takes Apart a Booby-trapped Document." Sophos Blog. 28 Sept. 2015. Web. 27 Dec. 2015.
<https://blogs.sophos.com/2015/09/28/why-word-malware-is-basic/>.
Kohavi, Lior. "Cyber Threat Report." Alt-N Tehcnologies. Cyren, 1 Apr. 2015. Web. 28 Dec. 2015.
<http://static.altn.com/Collateral/Security-Threat-Trend-Reports/2015-Q1_Email-Threat-Trend-Report.pdf>.
"Macro Malware on the Rise Again." Virus Bulletin: Blog. Web. 2016.
<https://www.virusbtn.com/blog/2014/11_07.xml>.
Szappanos, Gabor. "Covering the Global Threat Landscape." Virus Bulletin : VBA Is Not Dead! 2 July 2014. Web. 9 Dec. 2015.
<https://www.virusbtn.com/virusbulletin/archive/2014/07/vb201407-VBA#figure.1>.
Yaneza, Jay. "Macro Malware: When Old Tricks Still Work, Part 1." TrendLabs Security Intelligence Blog. 4 Mar. 2015. Web. 18 Dec. 2015.
<http://blog.trendmicro.com/trendlabs-security-intelligence/macro-malware-when-old-tricks-still-work-part-1/>.
Zorabedian, John. "What’s next for Ransomware? CryptoWall Picks up Where CryptoLocker Left off." Naked Security. 4 May 2015. Web. 16 Dec. 2015.
<https://nakedsecurity.sophos.com/2014/06/18/whats-next-for-ransomware-cryptowall-picks-up-where-cryptolocker-left-off/>.