Malware developers have been using Word macros to deliver malware for 15 years.
The approach, which takes advantage of the macros’ capability to automatically execute a series of instructions as a single command, has seen action since the early 2000s.
As users became accustomed to it, developers moved away from the tactic as defenses were able to fight it off.
But things started changing near the end of 2014.
Over the past two years, malware developers went through different approaches for tricking users into enabling Word macros, but the malicious Word documents usually contained just scripts that would download a dropper, which would then download the final malicious payload from a C&C server.
A new wave of phishing emails deliver malicious Word documents posing as invoices, and asking users to enable macros in order to view the content, said researchers at Barkly.
But this run was unlike others before it, because attackers were leveraging a second-stage executable payload embedded directly into the Word document.
“One thing that makes this latest version of [well-known downloader] Hancitor stand out is that its payload is already bundled as a binary object directly in the Word doc. It’s this payload that pings the C2 server. What it receives are pointers back to two additional binary objects (one executable and one DLL), which it downloads and executes,” said Barkly researchers in a post. The executed dynamic linked library (DLL) calls allows the attackers access to operating system resources and to grab additional payloads.
The change in approach is an attempt to throw traditional security tools off the malware’s scent.
In this particular spam campaign, Hancitor attempts to drop the Pony and Vawtrak information-stealing Trojans, but it could just as easily be any other type of malware.
In enterprise setups, employees can end up protected through a combination of AV and behavioral-based protection, email filtering, and event monitoring, the researchers said. Educating users on how to spot malicious emails and phishing attempts, and making sure that they can report incidents easily and without fear of negative repercussions, is also a must.
In Office 2016, Microsoft has added a feature that allows enterprise administrators to block all macros from running in Office documents that come from the Internet.
Non-enterprise users must still rely on their own capabilities to spot these attempts, but endpoint security solutions and spam filters used by popular email providers can be of great help.