Malicious Documents Use New Tricks To Evade Detection, Warns Zscaler

Security firm Zscaler has warned of more cyber nastiness after it discovered malicious documents that evade detection by using a new technique.

It seems attackers are enabling macros within malicious Microsoft Word documents as part of their attempt to evade the analysis systems used by anti-virus tools.

Macro Trick

Malicious executables hidden within documents are not a new phenomenon, but attackers are increasingly utilising new techniques to make it harder for security software to detect them proactively, blogged Zscaler.

Zscaler said that attackers are now making use of macros, which of course are pieces of code embedded inside Microsoft Office documents (usually written in Visual Basic). Microsoft Office disables macros by default, but attackers are now apparently “using clever social engineering tactics to lure the user into enabling the macros.”

And it seems that malware authors making the macro code extremely difficult to detect by signature based systems.

“In addition to highly obfuscated macros, malware authors are using multiple techniques in macros to detect the virtual environment and automated analysis systems,” warned Zscaler.

“If any of these anti-VM or anti-sandbox checks is positive then the VBA macro code execution terminates and the end malware payload does not get downloaded on the system shielding it from automated analysis and detection,” said Zscaler. “Alternately, the malicious document will download and install a malware executable on the victim’s system if all the anti-VM checks fail.”

“Malicious documents with highly obfuscated macros have become an increasingly popular vector among cyber criminals to deliver malware executable payloads,” said Zscaler. “By adding newer anti-VM and anti-analysis techniques to the malicious documents itself, the attackers are protecting the end executable payloads from being downloaded and detected by the automated analysis systems.”

Ongoing Problem

The firm advises users to never trust documents that prompt them to enable macros in order to view the content.

In March Microsoft made it tougher for enterprises to fall victim to macro-based attacks that prey on Office users. It implemented a new policy-setting feature in Office 2016 that allows administrators to block macros from untrusted sources.

Despite that, macro-based malware continues to be a thorn in the side of IT departments tasked with securing their organisations’ systems.

Are you a security pro? Try our quiz!

Tom Jowitt

Tom Jowitt is a leading British tech freelancer and long standing contributor to Silicon UK. He is also a bit of a Lord of the Rings nut...

Recent Posts

X’s Community Notes Fails To Stem US Election Misinformation – Report

Hate speech non-profit that defeated Elon Musk's lawsuit, warns X's Community Notes is failing to…

1 day ago

Google Fined More Than World’s GDP By Russia

Good luck. Russia demands Google pay a fine worth more than the world's total GDP,…

1 day ago

Spotify, Paramount Sign Up To Use Google Cloud ARM Chips

Google Cloud signs up Spotify, Paramount Global as early customers of its first ARM-based cloud…

2 days ago

Meta Warns Of Accelerating AI Infrastructure Costs

Facebook parent Meta warns of 'significant acceleration' in expenditures on AI infrastructure as revenue, profits…

2 days ago

AI Helps Boost Microsoft Cloud Revenues By 33 Percent

Microsoft says Azure cloud revenues up 33 percent for September quarter as capital expenditures surge…

2 days ago