How To Stop Macro-Based Malware In Its Tracks

Recent articles about the Dridex botnet and the Adnel and Tarbir malware have reported resurgence in malware embedded as macros within Microsoft Office Documents. When looking at malware attached to spam emails, Trend Micro’s Trend Labs have seen a rise in macro-based malware against the still dominant UPATRE malware.

These macro-based threats are spread via email campaigns, where the malicious file is included as an attachment to the email message. This method is attractive to attackers because the threat can be disguised behind layers of data: embedded as a macro in the document that is attached to the email, which makes it difficult for anti-malware engines to detect. In addition, whenever a new threat emerges, it may take some time before a majority of scan engines detect the threat.

One example of macro-based malware is Adnel, a macro that downloads and runs files on your PC when you open an infected Microsoft Office file. To show how anti-malware engines detect new threats over time, we used Metascan Online to scan an Excel document with Adnel embedded as a macro. Detection grew from zero anti-malware engines at the initial scan on January 23, 2015, to 28 anti-malware engines on March 31, 2015.

Preventing macro-based malware

Reading reports about email attacks that use macro-based malware should reaffirm the importance of designing a good email security policy within an organisation. One of the first steps in creating an effective policy is to properly train employees so that they aren’t opening malicious email attachments or enabling macros in any documents that come from unknown sources. It is important to also make employees aware of certain cyber-attack trends, such as social engineering, which can induce the user to enable macros using manipulation tactics.

By default, any Office documents that are opened as an email attachment have macros and editing disabled, so the user needs to actively choose to enable them within the document. In order to entice the user to perform this action, attackers try to create a document that the user would want to modify, either because they would need to edit it to send it back or would need to perform some other action on the document. This attack method is dangerous because users need to make edits to documents on a regular basis, but may not expect the document to contain malware. By training users on what to look for to ensure these documents come from trusted sources, organisations can take a step towards better email security practices.

Catch embedded macros and sanitise files

Although training employees is a good first step, it is by no means a surefire way to prevent macro-based threats. In addition to training, measures should be put in place to block or remediate emails that might contain a potential threat. A few of these measures include blocking email attachments from unknown sources that contain dangerous file types, scanning attachments with multiple antivirus engines, and most importantly, protecting against macro-based malware by sanitising email attachments to remove unknown threats. Sanitising files, whether through file type conversion or other methods, will strip out any potentially dangerous macros while leaving behind the safe file content. This will prevent both known and unknown macro-based threats from entering an organisation through email.

By taking another look at the Adnel malware sample we scanned with multiple anti-malware engines, we were able to also prepare a demonstration of the effectiveness of document sanitisation, a feature included in our Metascan technology. We used several different methods to convert this file to other safe file types and then again scanned the resulting files with Metascan Online. The file that had previously been detected as malicious by 28 scan engines was now shown to be free of malware. Our sanitisation process was able to effectively remove the malicious macro and neutralise the threat. Here are two examples of scan results for the sanitised file, using different file type conversion methods.

1. Scan results for Adnel malware sanitised through file type conversion

2. Second example of sanitised Adnel malware scan results

These examples show that even back on January 23rd, when none of the anti-malware engines were detecting our Adnel sample as a threat, document sanitisation could have been used to neutralise the threat. Document sanitisation should be considered a crucial step for preventing macro-based malware from entering an organisation through email attacks.

How much do you know about hacking and viruses? Take our quiz!