Macros that are used in Microsoft Office documents, such as Word, Excel or PowerPoint, are convenient tools that allow users to use low-level programming to help automate repetitive tasks. However, the problem is that they are easily exploited by hackers to spread viruses, worms, ransomware, and other types of malware and thus, have been consistently shown to be a cybersecurity risk.

CSA reached out to cybersecurity experts to get a better idea on the risks of macro malware and how to mitigate them.

Macro viruses used to be a common menace a few decades ago. But now, macro-related threats are having a resurgence due to the rise in sophistication of social engineering methods as well as the popularity of macro programs used in businesses. After all, it’s much easier to convince a person to download and open a Microsoft Office document that they deal with on a daily basis at work than say, running an executable file.

Furthermore, according to Olli Jarva, Managing Consultant, Software Integrity Group, Synopsys, when it comes to the bigger picture, macros continue to be a prominent vector of attack “mainly from the fact that the install base for utilising such a vector is big”.

Often, people are tricked into downloading malware-laden files through various types of delivery mechanisms, especially email. Users that have macros enabled in their Microsoft Office documents who open these malicious files will automatically kick off the infection process and allow the download of additional components without them even realising it.

At the start of the year, security researchers discovered a couple of nasty macro-delivered malware in the form of GandCrab and Ursnif.  He Feixiang, Mobile Security Researcher at Check Point Software Technologies, explained that “GandCrab is ransomware that primarily targets Windows operating systems. Once GandCrab infiltrates a system, it will encrypt important user data such as documents, videos, and photos so that data becomes meaningless random bits. Some variants of GandCrab also steals BitCoin on victim systems. The hacker will communicate with victims, demanding ransom to unlock the impacted files.”

Meanwhile, Ursnif is a data-stealing malware that’s also targeting Windows. It is designed to steal login credentials when a user interacts with online financial services. He added, “Besides the GandCrab ransomware and "banker" malware Ursnif, we also observed surveillance malware such as NanoCore RAT (Remote Access Tool). Check Point Research also revealed frontline threat intelligence on an enhanced banking Trojan named Osiris in 2018.”

For remediating such attacks, Olli pointed out that organisations typically disable the usage macros. However, he said, “some scenarios need the usage of macros, so then it becomes more important to validate where you are getting the files that need the macros to be used.”

When it comes to tackling the problem, Olli suggested several precautionary steps. First of all, organisations should always have an updated security software at their endpoints. Secondly, organisations should have some sort of email filtering or protection in place to ensure that malicious emails won’t get through to the users. “The more drastic measure is to eliminate the whole usage of macros in the office products. This would protect by not allowing them to execute the scripts when files are opened”, he added.

Since email is posing such a problem and becoming a popular gateway for ransomware, malware and other forms of threats to get into organisations, He said people should always look for telling signs of potentially malicious emails and ask themselves these vital questions:

• Sender address: Does the email address look suspicious? For example, is it a pretend business email sent from a Gmail account instead of an official account? Does the address look suspiciously close to well-known ones?
• Email intention: Does it have reliable information for the intended audience, or does it feel like an aimless large-scale spam?
• Email contents: Does the email try to persuade you to open external links or attachments when simple text would be enough to convey important messages?

He stressed that users should stop interacting with the email if the answer to any of the questions is a "yes". It is also a good practice to install professional security products to safeguard user data. Worse comes to worst, businesses could opt for MS Office alternatives such as Apple iWork, Apache OpenOffice, and Google G Suite.

During a recent webinar that CSA ran with Malwarebytes, this topic was brought up during the Q&A session when an attendee asked how a company should approach their macro settings. Malwarebytes Senior Engineer, Adran Yoong, said there’s no single answer to how companies should set macros. Simply disabling macros won’t guarantee that you are 100% safe either.

Last year, for example, there was a rise in DDE attacks that could be carried out without the need for macros to be enabled. Andran warned that new MS Office vulnerabilities are continuously discovered and exploited by cybercriminals for nefarious purposes. “When those kinds of newer attacks were to get launched, even with macros disabled, you still have the risk of getting attacked because of the many capabilities provided by MS Office.”

Adran added, “For those of you who remember, there was also a PowerPoint attack that did not depend on macro, but rather, was dependent on mouseover of a particular object embedded into PowerPoint. So, disabling macro itself is not the full answer to all these attacks that are coming out every now and then.”