The late 1990’s was a time where bleached hair tips, Tamagotchi, the Spice Girls and platform shoes were all the rage. In the cyber-world, the most popular way to hack into computers, was using vulnerable Microsoft Office macros.
A Macro is a set of commands designed to execute in a particular order without needing user input. They are very handy when it comes to automating repetitive tasks in Microsoft products like Word or Excel, as Microsoft Office programs support macros written in Visual Basic.
Unfortunately, macros can be used for evil too. Anyone can write a macro to automate just about anything; including creating a macro that runs malicious software on a device or computer.
You may remember the Melissa virus that plagued computer users back in 1999. This macro-virus was distributed as an email attachment in the form of a Word document. If a user opened the infected document in Word97 or Word2000 with macros enabled, the Normal.dot template was infected with the macro-virus. If the infected document was opened by another user, the document, including the macro-virus, was spread using Microsoft Outlook, by sending the virus on to the first 50 contacts in their address book. In some cases, the user’s document was propagated instead of the original document, thereby potentially leaking sensitive information.
After the destruction caused by the Melissa virus, Microsoft were forced to look more seriously at their security features and they changed their products to disable the automated scripts by default, thereby forcing attackers to look for alternative methods. Microsoft recently reported, however, that macro-virus attacks are making a comeback.
Today’s macros are more sophisticated, cleverly designed and often encrypted, making them challenging to detect. Given that macros are turned off by default in Microsoft Office software, the hackers have to be creative and try to trick users into turning macros on. They often accomplish this by making the document text appear “blurred” and promise the user that switching macros on will make the document more legible. Some hackers are being extremely creative and are hiding their malicious code inside the names of macro buttons contained in Word documents. The button name stores commands to visit a specific URL and download malware onto the targeted computer. Examples of macro-based malware doing the rounds in recent years are “Dridex”, a banking Trojan, and “Locky”, a nasty strain of crypto-ransomware that disguises itself as an invoice and when the document is opened, locks down files on the computer and the user is sent a ransom note demanding payment to obtain the decryption key.
What has sparked the resurgence of macro attacks?
Some experts say that the improved security of old faithfuls like Flash, has attributed to the rise of macro attacks. Vulnerabilities in Flash are being fixed more quickly and with more superior patches, so hackers are returning to their old tried and true methods. Others say that the amount of personal information people share freely over social media these days, has driven a surge in attacks using social engineering. Enhancements in software security, which disable macros and stop the spread of malicious applications, has also influenced cyber-criminals to consider older, more workable forms of attack. There will always be naïve or curious people who will fall for a convincing scam.
Preventing macro-based attacks
There is no way to guarantee protection from a user mistakenly opening an email attachment and enable a malicious macro.
Here are some tips to prevent macro based attacks:
- Educate your users. Teach your employees that they should AVOID opening documents from unknown senders and instruct them to NEVER turn on macros.
- If your company doesn’t use macros for daily tasks, consider disabling them completely and always keep your Windows Operating System and Microsoft Office up to date with the latest patches.
- Ensure that your business has a strong security solution with a combination of anti-malware, anti-spam and protection and detection solutions in place.
You could also consider upgrading to Office 2016. Previous versions of Office disabled macros, however, users still had the ability to bypass this constraint, therefore putting themselves and the company in jeopardy. The latest version of Office provides a Group Policy setting to ‘block macros from running in Office files from the Internet’. This setting cannot be bypassed by the user, so they won’t accidentally infect their machine. The Group Policy feature blocks macros from loading from high-risk Internet locations such as OneDrive, DropBox or Google Drive, as well as documents sent from outside the business, or from file-sharing or public sharing sources. It can also be enabled for each application individually (i.e. Word, Excel and PowerPoint). Any attempt made by a user to enable a macro will result in them receiving a strict warning message and directed to Admin.
Macro attacks are here to stay
Organisations should avoid becoming complacent when it comes to macro attacks. Even though they are an old type of threat, they are on the increase and attacks are more sophisticated, making them more difficult to detect. Businesses need to take as many precautionary measures as they can.