How to protect your organisation from macro malware

In fact, in Reason Lab’s The State of Consumer Cybersecurity 2022 report, macro malware remains in the top 10 detected threats. Macro malware is also boosted by a stark increase in phishing attacks that utilise the malicious virus. IBM reports that 41% of attacks last year were phishing attacks, whilst this separate report indicates a 9% increase in bulk phishing attacks against organisations.

In this article, we will be running through what a macro malware attack looks like, how to identify a potential attack and what your organisation needs to do in order to stay safe from this common cyber threat.

What is macro malware?

Sometimes known as macro viruses, macro malware takes advantage of vulnerabilities in macro programmes such as Microsoft Office. By accessing the Visual Basic for Applications (VBA) in programmes like Office, macro malware spreads viruses and worms on the host device. VBA is the scripting language used within Microsoft Office documents. Threat actors can hide malicious files inside the VBA structure of a Microsoft Office attachment, thus sneaking in malicious malware.

Programmes such as Microsoft Office regularly use macros to automate common tasks and can allow users to be incredibly productive. However, macro malware uses this same functionality to infect your device. Because macro viruses infect software rather than the operating system, macro malware can infect operating systems such as Windows, macOS and Linux.

In fact, in 2017, MacDownloader, the first Word macro virus for macOS was discovered. MacDownloader enabled hackers to use malicious Word documents to install malware on a Mac that then steals data, browsing history logs, webcam files, passwords, and encryption keys.

What can macro malware do?

When an unsuspecting user opens said attachment and inadvertently runs the hidden macros, the malware code will infect any and all files opened using Microsoft Office. The malware then transmits the data files deemed important or useful back to the hacker.

The virus can also:

• Cause text documents to become corrupted, with data lost forever.
• Format your hard drives without your permission.
• Create new files on your device.
• Corrupt and/or erase your stored data.
• Gain access to your email accounts and compromise personal data and communication.
• Forward infected files to everyone on the user’s contact list.

The start of macro malware

Macro malware viruses were incredibly rampant in the 1990s as understanding of the cyber threat was minimal or otherwise non-existent.

One of the first cases of macro viruses being used was in 1995 when the Concept Virus first appeared accidentally on a Microsoft Compatibility Test CD-ROM sent by Microsoft to hundreds of corporations. 

The most notable macro virus after the Concept Virus is the Melissa Virus. Deployed in 1999, the Melissa Virus was spread via email attachments. The Melissa virus would use macros in Microsoft Word 97, 2000, Excel and Outlook to spread malware to other email messages and contacts. Melissa infected more than 1 million email accounts and cost businesses more than $80 million!

Some of the most well-known threat actors that used malicious macros were APT28 and Muddy Water.

However, over time, as understanding of the cyber threat grey, the average user gained and stored the ability to combat this macro threat all on their own.

How has macro malware changed

In the past, macro programmes would run macros as soon as a document containing one was opened. However, with the release of Microsoft Office 2000, macros were disabled by default – remember, this is not the case with all macro programmes so the need to remain vigilant remains. 

Furthermore, whilst updates have blocked several common macro threat vectors, cyber criminals are still taking advantage of other Window Startup vulnerabilities that have yet to be addressed.

Now, combined with social engineering techniques, macro malware attacks have entered into second wind territory. Not only are many organisations readily using macro programs that are vulnerable to macro malware attacks, but socially engineered malware attacks are also tricking people into compromising their personal and corporate devices.

Macro malware attacks now need to convince users, either with enticing information or scare tactics, to enable macros first in order to allow their malware to run.

In 2014, the macro virus known as Hancitor/Chanitor was hidden in Word documents and delivered via phishing emails. It would download mass packets of data for the threat actor and deploy banking trojans and ransomware into the contaminated machine.

In 2020, we saw a massive increase in macro malware attacks as Excel 4.0 started using XLM macros. XLM macros work in the same way as VBA macros but also offer a new route for threat actors into the underlying code. As a result, Expel’s 2022 report detailed a 4% increase in macro attacks via Excel documents.

How to identify malicious macro malware scams

If you have dealt with phishing attacks and ransomware attacks in the past, dealing with macro malware scams should come easily to you. Essentially, if the file holding the macro malware is not run, then the malware cannot infect your device or your macro programmes in any way.

As a result, the key to identifying and stopping macro malware scams lay with employee cyber security awareness. Can your employees spot phishing emails and do they know who and where to report these phishing attempts to? Every organisation will have their own security protocols, so it is key your employees are vigilant and treat all emails with caution unless they have verified the sender and the contents of the attachments.

However, there are a couple of universal signs to look out for to avoid phishing macro malware emails:

• Attached documents that offer a preview can sometimes be a sign of hidden macro malware.
• Always check the title and file extension of attachments for signs of legitimacy or illegitimacy.
• If you are not expecting them, be wary of invoices, receipts, and legal documents from unknown senders. Often hackers use files like these to entice or scare people into opening them.

How to prevent macro malware attacks

Once again, we must reiterate, the best way to prevent a macro malware attack is to arm your employees with the information they need to identify a potential phishing macro email and the knowledge they need to avoid and report it. 

In order to prevent macro malware attacks, your need to:

• Educate your employees: There is no substitute for education and security maturity. When you train employees to spot phishing emails and dodgy documents/links, they become your first line of defence against cyber threats and hackers. Not only will you be keeping them safe in the office but in their everyday life as well. Once employees understand the risks and consequences of a malware attack, using context and examples, they will remain vigilant and aware to cyber threats.
• Disable macros in Microsoft Office: this should be handled by your security and IT admins, but your organisation must ensure that macros are turned off by default. Remember, if you have other programmes that utilise macros, these also need to have macros disabled as well. However, not all programmes have this option, which is why it is important to fortify employee knowledge on the cyber threat.
• Utilise an antivirus program: most free and off-the-shelf antivirus programs will warn users when they attempt to open an attachment that contains a dodgy link or a compromised file.
• Use a spam filter: most email servers and organisations will use a company-wide spam/junk filter to root out malware infected emails. However, employees should still remain vigilant as emails can sneak past this technical barricade and will prey on employees with a false sense of security.
• Avoid opening attachments from unknown senders: Much like the zero trust policy, if you do not know the sender of an email or have yet to verify the sender, do not open any attachments. Do not be tricked by phishing emails from unknown senders that use personal information or even your name, as a hacker could have scraped this from your online profile.
• Regularly update and patch: Ensure your employees are regularly updating and patching their hardware and software. Updates and patches plug security gaps and vulnerabilities as and when they arise. When you don’t update, you are leaving yourself open to threat actors.

How to tell if you have been infected by macro malware?

You’ve armed your employees with the knowledge and understanding of macro malware but the possibility that someone will fall for a dodgy attachment still remains. In this case, it will be helpful to know the signs of a macro virus infection. Whilst it can be difficult to detect, there are some signs you can look out for. These include:

• Slow system speed.
• Strange display error messages.
• Password prompts for files that are not password locked.
• System begins to save documents as template files.

Stay safe from malicious macro malware!

Employees of a certain demographic will have plenty of experience with macro malware. However, not all of your employees will be familiar with macro malware – which can be worrying when the cyber threat is making a strong comeback.

In order to keep your organisation safe from macro malware, you must educate your employees on how to identify, avoid and report the attempted attack before a breach can occur and data is compromised.

There is no stronger substitute for your cyber safety than an increase in cyber security awareness in your employee base. TSC can work with your organisation, from board level to front line staff, to plug security gaps, reach across workforce demographics and build security maturity against common cyber threats such as macro malware.

If you would like more information about how The Security Company can help deliver phishing security awareness training for your employees or how we can run a behavioural research survey to pinpoint gaps in your security culture, please contact  Jenny Mandley.