Macro Malware: When Old Tricks Still Work, Part 1
Now comes a time when we are reminded of why this security warning prompt in Microsoft Word matters:
I went around my peers this afternoon and asked, “On the top of your head, can you give me a name of an effective macro malware? Better if its entry point was email.” The first common response I got was “Melissa” and a response from a more tenured colleague resulted in the names “WM Concept” and “LAROUX.” I asked another colleague if they can name a macro malware that was popular around 2005-2008, and that resulted in a trip down memory lane, to the era when macro malware was so effective in the early 2000’s. We remembered how things changed when Microsoft Office’s security settings were set to high, how the malware landscape changed, and how history is repeating itself right now.
“New bottles for old wine”
We’ve already seen signs of macro malware in the threat landscape a year ago with the W97M_SHELLHIDE.A and TSPY_ZBOT.DOCM combination. At first, we thought that it was just a chance encounter but, as covered in our recent report on BARTALEX, the method of distributing malware through the misuse of macros has borne the likes of DRIDEX, ROVNIX and VAWTRAK into computer systems from the latter part of 2014 up to this year.
What’s more, we noticed that this resurgence of macro malware has a single area of focus: enterprises. Enterprises were heavily affected by a spam outbreak involving macro malware
We saw that macro malware detections in Q1 2015 drove huge numbers:
This data is based on feedback from Trend Micro’s Smart Protection Network, representing files that have been detected on endpoints. The following conclusions can be drawn:
- The two common malware families seen are W97M_MARKER and W2KM_DLOADR.
- You can see X2KM_DLOADR detections around the start of February.
- A couple more significant ones like W2KM_DOXMAL and W2KM_MONALIS started showing up on the 2nd week of March
- Finally, W2KM_BARTALEX started picking up middle of February and was seen up to the last week of March
We tried to confirm if the systems were running on old environments and found that majority of the desktops are running current versions of Microsoft® Windows, with intermittent numbers for the now-ailing Windows XP and a few server-based installations that are probably file servers:
|Windows 7/Windows Server 2008 R2||91.72%|
|Windows Vista/Windows Server 2008||2.18%|
|Windows Server 2003||0.86%|
|Windows 8.1/Windows Server 2012 R2||0.67%|
To add to this, Operation Woolen-Goldfish did employ spear-phishing emails with malicious attachments that were Excel files with an embedded macro. The macro code was instrumental in dropping the .DLL file that instated the malware, GHOLE. Targeted attack campaigns would usually use vulnerabilities that had been determined to be effective on a target, or even zero-day vulnerabilities. This operation, however, had taken a much easier route of using the tired, old method of traditional malware.
If you take the methods employed by GHOLE, ZBOT, DRIDEX, ROVNIX and VAWTRAK, we’ve all seen them in the past – as well as macro malware and email-borne threats. I’ve read somewhere that the statement “new bottles for old wine” came from the fact that wine sits in a cellar for an extended period of time, waiting for the right time to be bottled. This looks exactly like the same situation: the right time has come and known threats are repackaged with old methods, resulting to what we now determine to be equally effective.
Our discussion about the macro malware, specifically, their techniques, will continue in the second entry of this series.
With additional insights and analysis from Jamz Yaneza, Jeffrey Bernardino and Renato Geroda