The use of malicious macros as a method of spreading malware fell out of favor by the start of the new millennium, although over the past few months, malicious macros have made something of a comeback.
The malicious macro is now back and is being used by cybercriminals to rapidly spread malware and ransomware on unsuspecting end users.
On Thursday last week, the United States Computer Emergency Readiness Team (US-CERT) issued an advisory warning of the increased risk of attack via macro-based malware, and urged companies and consumers to take steps to reduce risk.
The advisory came after a number of successful macro-based malware attacks, some of which caused widespread disruption and extensive damage. In late December, 2015, cyberattacks were conducted on Ukrainian energy companies using BlackEnergy3 malware, which was used to download a KillDisk Trojan. These attacks resulted in power outages across the country affecting millions of homes and businesses.
Prior to those attacks, malicious actors targeted Ukrainian news agencies using the same malware. Those infections are understood to have been made possible with malicious Word macros.
However, it is not only organizations in Ukraine that are at risk. Macros are now being used to target a wide range of organizations all around the globe and are used to gain access to corporate systems and to download a variety of malicious payloads.
Malicious Macros are Back with a Vengeance
The use of macros as a method of malware delivery all but died out. In fact, malicious macros have rarely been seen over the past decade. This is partly due to action taken by Microsoft to combat the threat – disabling macros in Microsoft Office by default. Office 97 for example, warned users in no uncertain terms that running macros had potential to harm computers and install viruses. End users were aware of the risks and infection became harder.
Later releases of Office have seen these warnings downgraded to a certain extent. End users can now all too easily enable macros with a click, even without being aware that they are taking a considerable risk. Many end users are also unlikely to be aware of the risks that come from enabling macros as they were not of working age in the 90’s.
Attacks using macros are also now a lot more sophisticated. Malicious actors are incorporating a range of social engineering techniques into attacks to convince end users to enable macros. Users are given a seemly valid reason for enabling macros, such as being informed that a macro has been included in the document as a security protection, or that macros are needed to ensure content displays correctly.
System Administrators Should Take Steps to Reduce the Risk of Macro-Malware
The resurgence in the use of malicious macros to install malware means system administrators need to take action to reduce the risk of an end user allowing macros to run.
System administrators should ensure that macros are disabled on all devices by default. End users that need to use macros for work purposes should manually enable macros document by document when required. Training should also be provided to ensure staff are aware of the risks.
However, if possible, access to macros should be restricted to stop end users from making a wrong decision.
Windows 365 and Office 2016 allows system administrators to apply group policies that block macros from being run on documents that originate from the Internet. Group and user controls can also be applied on earlier Windows versions to block macros from being run by all users unless they are needed for work purposes.
If macros are required by specific individuals or user groups, blocks should be placed on specific office applications. If the billing department needs to use Excel macros, block Word macros from being run, for instance.
Other controls which can be implemented include only allowing signed macros to be run, or using the Trusted Locations feature of Office, although these two controls have flaws.
However, doing nothing and leaving the decision to enable macros down to the end user is a particularly risky strategy. It is also one that sys admins may live to regret.