Pierluigi Paganini
September 23, 2014
Experts at SophosLabs observed a surge in VBA malware, according their analysis macro-based malware accounted for 28 percent of all malware attack detected in July, up from just six percent in June, despite 58 percent of the attacks used known exploits.
The experts discovered different VBA downloader templates, which contain VBA code and the instructions for the authors of VBA Malware on how to package their malicious code and how to obfuscate it.
VBA malware is largely used cyber threat actors due the possibility to rapidly change their code to implement new evasion techniques, the exploits have a rigid file structure that makes it difficult to apply any change, for the same purpose, without affecting functionality.
“Visual Basic code is easy to write, flexible and easy to refactor. Similar functionality can often be expressed in many different ways which gives malware authors more options for producing distinct, workable versions of their software than they have with exploits.” wrote Graham Chantry, a senior security researcher at SophosLabs, in a blog post.
Another advantage in the use of Visual Basic malware is that, unlike exploits, they are not “tied to specific versions of Microsoft Office”, it is enough that victims run a vulnerable version of Office as well as not effective anti-virus software for the malicious code to infect the machine.
VBA malware has a big drawback respect exploits, it could be easily neutralized properly configuring the Microsoft’s “Macro Security Level”. Newer Office versions, including 2007 or later disables VBA macros from untrusted sources by default and executes code only “if the user explicitly enables them.”
This means that the attacker needs a further effort to convince the victim to perform an operation, authorizing the execution of the code. Typically this is done through social engineering, for example, informing the user that the code being executed has a purpose for his interest and requires the disable of defensive features.
“To overcome this limitation, authors of malicious VBA code have to use Social Engineering techniques to trick users in to running their macros.” states the post.
Visual Basic document based malware is usually spread through spam campaigns in which the attached document hidden the malicious code.
The blog post includes a template of VBA Malware downloader in which it is necessary to substitute the DIRECT LINK HERE string with a URI to a malicious code.
“imports the Windows API URLDownloadToFile to download an executable into the user’s temporary directory,” “Once downloaded, the code uses the shell command to execute the dropped sample as a separate process.” states the post.
The availability of these templates make it easier to write malicious code for VBA malware authors, the structure proposed in the example by Sophos is widely adopted for VBA downloaders, accounting for about 34 percent of all macro downloaders that have been detected by Sophos in July.
Fortunately, variants recently detected using these templates are very similar and could be easily neutralized by heuristic detection.
The threat posed by VBA malware should not be underestimated, as explained in the post the experts detected numerous variants implementing creative techniques to infect victim’s machines.
“we saw Visual Basic code executing an encoded PowerShell script, to inject assembler code into memory,” “More recent variants have even utilised the AutoIt scripting language and traditional Batchscript.” By adding new layers to the infection process malware authors are likely trying to “conceal their true intentions from AV detection (wrapping malicious assembler code within PowerShell, within Visual Basic, etc.),” Chantry explained. “Obfuscating the malicious payload may be somewhat effective against static signature based detection but the obfuscation process itself serves as an excellent trait for heuristic detection. The only question now is what languages will they choose next?”
(Security Affairs – Sophos, VBA Malware)
