- Healthcare cyber security
- 10 min read
Data protection experts are predicting a malicious malware comeback. Logpoint’s recent analysis of Threat Intel reports in 2022 indicates that macro use increasing and shows “no signs of stopping”.
In fact, in Reason Lab’s The State of Consumer Cybersecurity 2022 report, macro malware remains in the top 10 detected threats. Macro malware is also boosted by a stark increase in phishing attacks that utilise the malicious virus. IBM reports that 41% of attacks last year were phishing attacks, whilst this separate report indicates a 9% increase in bulk phishing attacks against organisations.
In this article, we will be running through what a macro malware attack looks like, how to identify a potential attack and what your organisation needs to do in order to stay safe from this common cyber threat.
Sometimes known as macro viruses, macro malware takes advantage of vulnerabilities in macro programmes such as Microsoft Office. By accessing the Visual Basic for Applications (VBA) in programmes like Office, macro malware spreads viruses and worms on the host device. VBA is the scripting language used within Microsoft Office documents. Threat actors can hide malicious files inside the VBA structure of a Microsoft Office attachment, thus sneaking in malicious malware.
Programmes such as Microsoft Office regularly use macros to automate common tasks and can allow users to be incredibly productive. However, macro malware uses this same functionality to infect your device. Because macro viruses infect software rather than the operating system, macro malware can infect operating systems such as Windows, macOS and Linux.
In fact, in 2017, MacDownloader, the first Word macro virus for macOS was discovered. MacDownloader enabled hackers to use malicious Word documents to install malware on a Mac that then steals data, browsing history logs, webcam files, passwords, and encryption keys.
When an unsuspecting user opens said attachment and inadvertently runs the hidden macros, the malware code will infect any and all files opened using Microsoft Office. The malware then transmits the data files deemed important or useful back to the hacker.
The virus can also:
Macro malware viruses were incredibly rampant in the 1990s as understanding of the cyber threat was minimal or otherwise non-existent.
One of the first cases of macro viruses being used was in 1995 when the Concept Virus first appeared accidentally on a Microsoft Compatibility Test CD-ROM sent by Microsoft to hundreds of corporations.
The most notable macro virus after the Concept Virus is the Melissa Virus. Deployed in 1999, the Melissa Virus was spread via email attachments. The Melissa virus would use macros in Microsoft Word 97, 2000, Excel and Outlook to spread malware to other email messages and contacts. Melissa infected more than 1 million email accounts and cost businesses more than $80 million!
Some of the most well-known threat actors that used malicious macros were APT28 and Muddy Water.
However, over time, as understanding of the cyber threat grey, the average user gained and stored the ability to combat this macro threat all on their own.
In the past, macro programmes would run macros as soon as a document containing one was opened. However, with the release of Microsoft Office 2000, macros were disabled by default – remember, this is not the case with all macro programmes so the need to remain vigilant remains.
Furthermore, whilst updates have blocked several common macro threat vectors, cyber criminals are still taking advantage of other Window Startup vulnerabilities that have yet to be addressed.
Now, combined with social engineering techniques, macro malware attacks have entered into second wind territory. Not only are many organisations readily using macro programs that are vulnerable to macro malware attacks, but socially engineered malware attacks are also tricking people into compromising their personal and corporate devices.
Macro malware attacks now need to convince users, either with enticing information or scare tactics, to enable macros first in order to allow their malware to run.
In 2014, the macro virus known as Hancitor/Chanitor was hidden in Word documents and delivered via phishing emails. It would download mass packets of data for the threat actor and deploy banking trojans and ransomware into the contaminated machine.
In 2020, we saw a massive increase in macro malware attacks as Excel 4.0 started using XLM macros. XLM macros work in the same way as VBA macros but also offer a new route for threat actors into the underlying code. As a result, Expel’s 2022 report detailed a 4% increase in macro attacks via Excel documents.
If you have dealt with phishing attacks and ransomware attacks in the past, dealing with macro malware scams should come easily to you. Essentially, if the file holding the macro malware is not run, then the malware cannot infect your device or your macro programmes in any way.
As a result, the key to identifying and stopping macro malware scams lay with employee cyber security awareness. Can your employees spot phishing emails and do they know who and where to report these phishing attempts to? Every organisation will have their own security protocols, so it is key your employees are vigilant and treat all emails with caution unless they have verified the sender and the contents of the attachments.
However, there are a couple of universal signs to look out for to avoid phishing macro malware emails:
Once again, we must reiterate, the best way to prevent a macro malware attack is to arm your employees with the information they need to identify a potential phishing macro email and the knowledge they need to avoid and report it.
In order to prevent macro malware attacks, your need to:
You’ve armed your employees with the knowledge and understanding of macro malware but the possibility that someone will fall for a dodgy attachment still remains. In this case, it will be helpful to know the signs of a macro virus infection. Whilst it can be difficult to detect, there are some signs you can look out for. These include:
Employees of a certain demographic will have plenty of experience with macro malware. However, not all of your employees will be familiar with macro malware – which can be worrying when the cyber threat is making a strong comeback.
In order to keep your organisation safe from macro malware, you must educate your employees on how to identify, avoid and report the attempted attack before a breach can occur and data is compromised.
There is no stronger substitute for your cyber safety than an increase in cyber security awareness in your employee base. TSC can work with your organisation, from board level to front line staff, to plug security gaps, reach across workforce demographics and build security maturity against common cyber threats such as macro malware.
If you would like more information about how The Security Company can help deliver phishing security awareness training for your employees or how we can run a behavioural research survey to pinpoint gaps in your security culture, please contact Jenny Mandley.
© The Security Company (International) Limited 2023
Office One, 1 Coldbath Square, London, EC1R 5HL, UK
Company registration No: 3703393
VAT No: 385 8337 51