Pierluigi Paganini January 05, 2015

The Microsoft Malware Protection Center (MMPC) has recently observed a surge in the infections of malware using macros to spread their malicious code.

The Microsoft Malware Protection Center (MMPC) is warning Office users on the diffusion of malicious macros through email attachments or social engineering websites. A macro is a series of commands and instructions that could be grouped in a single command to accomplish frequently used tasks automatically.

In the recent months, the experts at MMPC have observed a significant increase in enable-macros based malware, the most active codes include Adnel and Tarbir.

“Two recent macro downloaders that we have seen spreading through spam email campaigns areTrojanDownloader:W97M/Adnel and TrojanDownloader:O97M/Tarbir. These recent campaigns are one example of an increasing trend of macro malware targeting home users and enterprise customers. These threats predominantly target our customers in the US and UK.” states the official blog post published by Microsoft.

Both malware was detected in several attacks targeting the US- and UK-based home users and enterprise customers.

The attack vector for both malware is the email, the malicious binary is served with an attachment that operates as infection gateway. The attachments came in the form of  .doc or .xls files that appear to contain information related to a legitimate payment. The social engineering technique used in the attacks, exploits malicious emails with subject lines such as Payment details, Invoice – P97291, Order-Y24383, DOC file for report is ready, Invoice as requested, and so on.

Once the user is tricked into opening the malicious attachment, it prompts him to enable macros manually because Microsoft Office’s default settings are set to “Disable all macros with notification.”

“The combination of the instructional document, spam email with supposed monetary content, and a seemingly relevant file name, can be enough to convince an unsuspecting user to click the Enable Content button,” continues the MMPC report.

Once enabled the content the malware infects the targeted machine.

To avoid to be infected by the malware Microsoft suggests a few simple practices:

• A file which contains a receipt or billing statement, most of the time does not need to have any macros in it.
• Be cautious of unsigned macros and macros from an untrusted source. Macro malware are usually unsigned.
• Some macro malware leave the document intentionally empty, relying on the user to think that they need to enable the macro so that they can see something. Beware of such tricks.

Pierluigi Paganini

(Security Affairs –  Microsoft macros, malware)