Anti-Malware , Fraud , Technology

Banking Malware Taps Macros

Attackers Use Cloud Services, Trickery to Evade Defenses
Banking Malware Taps Macros

Macro viruses are back.

See Also: API vs. Proxy: Understanding How to Get the Best Protection from Your CASB

Security firms report a sharp rise in the quantity of attacks that use macro code - designed to automate tasks - to trigger malware downloads, often for the purpose of stealing people's online banking credentials. "Just when you think macro malware is a thing of the past, over the past few months, we have seen an increasing macro downloader trend that affects nearly 501,240 unique machines worldwide," warns Microsoft's Malware Protection Center.

Reports of macro-virus threats might trigger feelings of déjà vu, since macro code - contained in malicious email attachments - was a hallmark of late-'90s attacks. "Macro-based threats were an issue in the past, but years ago antivirus/security won the battle against email attachments," Sean Sullivan, security advisor for Finnish antivirus firm F-Secure, tells Information Security Media Group. "Gateway scanning systems can detect patterns of bulk attachments. And that's how people were generally exposed to macro-based threats.

But today's macro attacks differ from previous such attacks in notable ways. Technically speaking, today's attacks are making use of zipped file attachments to try and fool antivirus scanners, as well as using cloud-based storage, "so there are no attachments to scan and block, just links - and that, I would say, makes a big difference," Sullivan says. Finally, a number of recent attacks have attempted to execute macros using Microsoft's task-based command-line shell and scripting language PowerShell.

Microsoft says it's seen an increase in malware and fraud campaigns that use macro downloaders - including Adnel, Bartallex (a.k.a. Bartalex), Donoff, Jeraps, and Ledod - in conjunction with social-engineering attacks. Such trickery is often required because the Microsoft Office default has long been to "disable all macros with notification," which some security experts say is the single biggest reason such attacks declined. Accordingly, many attackers now try to trick would-be victims into reactivating macro capabilities.

"Macro downloaders serve as the gateway for other nasty malware to get in," Microsoft says. On the bright side, however, researchers at Tenable Network Security report that the current volume of macro malware attacks is so far less than what was seen 15 years ago.

Macro Malware Spikes


Macro downloader variants (blue) and infected machines (orange) seen over the past year. Source: Microsoft.

Bartalex: ACH Fraud

Macro-wielding attackers are increasingly using cloud services to evade existing defenses. Trend Micro, for example, reports this week that it's seen a recent flurry of spam emails that have Bartalex macro malware attached. The social-engineering attack tells recipients that their Automated Clearing House electronic-funds transfer was declined, and invites the recipient to click a link to "view the full details," which leads to a Dropbox page that lists specific instructions, including the need to enable Microsoft Office macros, says Trend Micro fraud analyst Christopher Talampas in a blog post.

If users fall for the ruse, the macro runs and attempts to load the Dyre banking malware. Talampas says this particular Dyre variant "targets banks and financial institutions in the United States, among which are J.P. Morgan, U.S. Bank, California Bank & Trust, [and] Texas Capital Bank."

Tapping PowerShell

Recent variants of the Dridex banking malware, which is designed to steal credentials for online accounts, have been distributed by spam emails, and have been attempting to execute macros via PowerShell, if it's installed, warn Intel Security researchers Jorge Arias and Yerko Grbic in a blog post.

Dridex is based on Cridex, which is itself based on the Gameover Zeus malware. And one recent Dridex variant, Intel Security says, uses an XML document - stored either in .xml or .doc file - to execute an OLE file containing a malicious, embedded macro routine that it attempts to execute via Windows PowerShell task-automation software, if installed.

A second variant uses a Word or Excel file that contains an Office Active Object and tries to trick the user into executing the OLE file, leading to the same result. "Thus, even if the user has not enabled the execution of macros, the malware can execute by running the malicious code directly from the OLE file" in PowerShell, the Intel Security researchers say. At that point, the malware "phones home" to a command-and-control server to report that the PC has been compromised, and await further instructions.

"Macros are now more powerful than before with the help of other features, such as PowerShell," says security researcher Raul Alvarez at security products vendor Fortinet in a blog post. "That is one of the reason why attackers are including them in their arsenal. Due to its simplicity, ease of use, and more additional features, we are going to see more [macro attacks] in the future.

Macro Defense

The rise in macro-malware attacks begs the question of what businesses should be doing to block it, and F-Secure's Sullivan suggests blocking all macros whenever possible. "I submitted the issue to my IT security team with a link to a Microsoft page containing instructions on how to limit Office macro security settings via Group Policy. The team is now looking at what teams actually need Macros - probably just the finance people," he says. "I would suggest that other companies do the same review and use Group Policies to disallow macros."

For any business not big enough to employ Group Policy, focus on educating users. "Small businesses should educate staff about the issue to make sure they know not to enable macros," Sullivan says.

Standard antivirus defense rules also still apply, say security researchers at Tenable Network Security. They recommend users never open attachments from untrusted sources - and unless they know why they have received it. They also recommend that network administrators quarantine and check all attachments prior to releasing them to users.


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the Executive Editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, amongst other publications. He lives in Scotland.




Around the Network