Since their emergence in the ‘nineties, malicious macros have been a valuable tool for hackers. After M/S Office 2007, the default setting was to disable macros, and this resulted in a decline of their use in malware. Now, keeping up with raised user awareness and software protection, malware macros have evolved with new tricks to fool the user. Microsoft warns of the new stealth tactics employed by hacker macros.
At Microsoft Malware Protection Center (MMPC), researchers recently discovered a variant of TrojanDownloader:097M/Donoff, a family that targets M/S Office. This was contained in a VBA (Visual Basics for Applications language) file ready to launch the malware on opening. Donoff malware has been a popular tool for spam and phishing campaigns in which the user is persuaded to open a Word document then click on the macro to initiate installation. This can sometimes be presented in the form of a PDF update reminder supposedly needed to read the text, for example. A macro is simply a button with one or several commands behind it. Think of a nuclear launch button.
Donoff as a downloader is similar to Dridex and Bartallex. After executing in the infected system it can drop a range of malware including banking trojans, PoS threats, ransomware, &c. In this recent campaign, hackers have gone to new lengths to make the macro appear user-friendly. The analyzed file was in Word containing seven VBA modules and a user form with three buttons which use CommandButton elements.
Research discovered that the VBA modules are disguised as legit SQL coding powered by a macro. On closer inspection however, an alien string was found hidden in the Caption field for button #3 – this was encrypted. The other two command buttons were scrutinized and the strange code was also present in #2 – this was revealed as a decryption command for the #3 code. And low and behold – once button #3 was decrypted, our old friend Locky would come to visit, and all your files would be encrypted!
This new technique appears only to be a back-up in this instance, to entice the user to enable macros (or prior to M/S Office 2016 – the ActiveX function), as if the macro function is enabled, the malicious code automatically launches on the opening of the document anyway.
Dridex was also observed earlier in the year to use this obfuscation method to hide malicious coding. Trend Micros uncovered this and said that the use of Form objects (like windows or dialogue boxes) were being used to disguise the bad button and lure the user into enabling the function. Disable macros unless totally necessary, and only enable if the document is from a trusted source.