A macro is a small piece of code that runs within a software program such as Microsoft Word or Excel, and is normally used to automate common or repetitive tasks. Macro malware is the practice of hiding a virus in a macro code and enticing unsuspecting users into downloading a Word or Excel file and running the macro script within, which then will download a virus, malware or even ransomware onto that person’s PC. Macro malware was common during the 1990s, but lapsed in popularity through most of the 21st century as increasingly savvy PC users learned how to spot the spam or phishing emails that delivered them, which were often riddled with typos. Nowadays, however, macro malware is seeing a big return due to two factors – Phishing emails are becoming increasingly sophisticated and no longer have obvious typos in them, and ransomware – a very profitable form of malware for criminals – can be easily downloaded via a macro, leading to entire networks being encrypted and held to ransom. It is now critical that all users understand the threats that macro malware can pose, particularly to their organisation, and learn how to spot the attacks before it’s too late.
Excel files are a common means of transmission for macro malware, which can download ransomware to infect entire networks at a time
How does macro malware spread?
Macro malware is most commonly spread in email attachments, using phishing and social engineering to trick users into downloading the attachment and running the macro. Cyber criminals will often target businesses with these types of attack, as they are commonly used to conceal ransomware. The Word/Excel files themselves are often ‘harmless’ and will not be flagged by antivirus software, but a virus is downloaded to the PC when the macro is allowed to run.
Why does macro malware target businesses?
Cyber criminals usually don’t just create and send malware to be destructive, they do it to make money. In the last 5 years, there has been an unprecedented rise in the monetisation of cyber crime, with hacking available as a ‘professional’ service via online forums and malware available to purchase for as little as €10 (we go into more detail on this in our Cybercrime-as-a-Service article). Macro malware is the ideal means of transmission for ransomware, which spreads aggressively across business IT networks and ultimately makes more money for the criminals behind the attacks.
How do you detect an attack?
Social engineering is the key to a successful macro malware attack. In order for the macro to download malware onto a PC, a user must first allow it to run. Hence, they will have document names that entice users to allow them, and are accompanied by emails which makes the user think there will be negative consequences if they do not open the macro, such as missing a payment to a client, or tricking them into thinking they have been charged for something incorrectly. Phishing emails try to create a sense-of-urgency, which should always be a big red flag for employees.
How can it infect a whole network, even if we have antivirus?
The trick with concealing an attack in a Word or Excel macro is that the malware is not actually contained within the document, meaning that antivirus software or firewalls won’t usually flag them as a threat. This also holds true for malware that is hidden within a password protected file, another increasingly common attack vector. Once the criminals have used social engineering to trick the user into downloading the file and allowing the macro to run, the code within then downloads the latest strain of ransomware. Today’s ransomware is often not just one piece of malware, but several pieces of malware combined, allowing it to rapidly spread from PC to PC over a network using a variety of exploits and vulnerabilities – which ultimately encrypts any PC or server it comes into contact with, and demands that the hackers be paid a ransom in crypto-currency.
What’s the bottom line, and how do I protect my organisation from macro malware?
There is no one solution to protecting an company or organisation from macro malware or other specific threats. Cyber crime is always changing, and as users get wise to attacks, criminals will instead use something different. This is why macro malware dropped in popularity after the ’90s, and why it’s back now that many people are no longer vigilant to watch out for it. The key to protecting an organisation against ever-evolving threats is to have an ever-evolving cyber security awareness training program for all staff, which is kept up-to-date with the latest schemes and can keep your staff informed – and keep security top of mind.
Are you concerned about phishing? Take the Tech Guard Phish-Prone Challenge, a free test for businesses to see how susceptible their staff are to modern, sophisticated phishing attacks. Remember, your network is only as strong as its weakest part.