Recent articles about the Dridex botnet and the Adnel and Tarbir malware have reported resurgence in malware embedded as macros within Microsoft Office Documents. When looking at malware attached to spam emails, Trend Micro’s Trend Labs have seen a rise in macro-based malware against the still dominant UPATRE malware.
One example of macro-based malware is Adnel, a macro that downloads and runs files on your PC when you open an infected Microsoft Office file. To show how anti-malware engines detect new threats over time, we used Metascan Online to scan an Excel document with Adnel embedded as a macro. Detection grew from zero anti-malware engines at the initial scan on January 23, 2015, to 28 anti-malware engines on March 31, 2015.
Reading reports about email attacks that use macro-based malware should reaffirm the importance of designing a good email security policy within an organisation. One of the first steps in creating an effective policy is to properly train employees so that they aren’t opening malicious email attachments or enabling macros in any documents that come from unknown sources. It is important to also make employees aware of certain cyber-attack trends, such as social engineering, which can induce the user to enable macros using manipulation tactics.
By default, any Office documents that are opened as an email attachment have macros and editing disabled, so the user needs to actively choose to enable them within the document. In order to entice the user to perform this action, attackers try to create a document that the user would want to modify, either because they would need to edit it to send it back or would need to perform some other action on the document. This attack method is dangerous because users need to make edits to documents on a regular basis, but may not expect the document to contain malware. By training users on what to look for to ensure these documents come from trusted sources, organisations can take a step towards better email security practices.
Although training employees is a good first step, it is by no means a surefire way to prevent macro-based threats. In addition to training, measures should be put in place to block or remediate emails that might contain a potential threat. A few of these measures include blocking email attachments from unknown sources that contain dangerous file types, scanning attachments with multiple antivirus engines, and most importantly, protecting against macro-based malware by sanitising email attachments to remove unknown threats. Sanitising files, whether through file type conversion or other methods, will strip out any potentially dangerous macros while leaving behind the safe file content. This will prevent both known and unknown macro-based threats from entering an organisation through email.
1. Scan results for Adnel malware sanitised through file type conversion
2. Second example of sanitised Adnel malware scan results
These examples show that even back on January 23rd, when none of the anti-malware engines were detecting our Adnel sample as a threat, document sanitisation could have been used to neutralise the threat. Document sanitisation should be considered a crucial step for preventing macro-based malware from entering an organisation through email attacks.
How much do you know about hacking and viruses? Take our quiz!
Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…
Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…
Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…
Welcome to Silicon In Focus Podcast: Tech in 2025! Join Steven Webb, UK Chief Technology…
European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…
San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…