Attack techniques come and go as technology and user behaviours change and defences adapt to new threats – and sometimes take their eye off old ones – and the return of malicious macros offers an opportunity to examine and understand the drivers behind these adaptations, an exercise that is equal parts business case and technical analysis. By combining technical analysis of malware samples with investigation on cybercriminal forums, this report exposes the economic and technical drivers behind the recent rise of malicious macros and enables cybersecurity practitioners to better defend their organisations against this and future advanced threats.
Proofpoint research into threats and underground forums finds that, from a cost perspective, malicious macros deliver the most ‘bang for the buck’ because they combine lower up-front and maintenance costs with higher effectiveness to create a ‘killer app’ for cybercriminals. Technical analysis and threat intelligence allow us to identify the cause behind the explosive return of malicious macros as an exploit technique featuring daily in massive campaigns:
»» Highly successful at evading not only traditional signature- and reputation-based defences, but also newer behavioural sandboxes
»» Able to be frequently updated easily and at low cost
»» Cross-platform and “unpatchable,” because it is not limited by vulnerabilities on a specific operating system or application version
»» Reliance on end-user interaction leverages social engineering to bypass automated defences
»» Low up-front and maintenance costs increase return on investment (ROI)
Combined in a single solution, it is no surprise that malicious macro attachment campaigns have grown so rapidly in both size and frequency,
and we can expect that they will only begin to subside when this equation changes and either their cost increases or effectiveness decreases
to the point that they can no longer deliver the same ROI.
For malware to be cost-effective, it must first and foremost be effective. The ability of malicious macros to consistently evade defenses and entice end-users to click is a critical aspect of their success and attractiveness to threat actors. The main contributors to the effectiveness of malicious macro exploits are:
- Ability to evade both signature-based and behavioural defenses
- Ease of tricking end-users into enabling the malicious content in the document
- Cheap and easy to create new versions to stay ahead of detection techniques
- They do not exploit vulnerabilities that can be patched; instead, the propensity of end-users to click is the vulnerability
Proofpoint observes dozens of new or modified malicious macros daily. While there are many custom or one-off macros, we have observed at least four to five established sellers who regularly market their services to multiple actors. Malicious macros are cost-effective: The budget for a malicious document (or “maldoc”) campaign can range from zero to US$1,000. In addition to the services of a few established sellers such as Xbagging and MacroExp, there are many open-source examples for cost-constrained or do-it-yourself actors of how to weaponize a Microsoft Word document with a malicious macro. Malicious macros are effective: Unlike attachments that exploit known or zero-day vulnerabilities, malicious macro attachments may lead to higher success rates because they do not rely on the presence of an unpatched vulnerability in Microsoft Windows or office, or other common applications. While the campaigns themselves have expanded their repertoire beyond Word documents to include other types of Microsoft Office document types – primarily Excel – and templates such as HTML and XML, malicious messages with attachments remains a prominent feature of the threat landscape.
A large part of the success of malicious macros is rooted in their ability to exploit the Human Factor: as Proofpoint research has demonstrated elsewhere, every organization clicks. The best defense against this threat will minimize opportunities for end-user interaction before they can click, including:
»» Ensure that in your organization Microsoft Office is configured to disable macros by default, and preferably set to disable “without notification.” Enabling the “with notification” option leaves the decision with the user and as Proofpoint research has shown, someone always clicks.
»» Educate your users about the dangers of unsolicited email, and to be particularly wary of the phishing templates that Proofpoint research has found to be the most effective: message notifications, corporate financial messages, and delivery notifications.
»» Deploy next-generation solutions capable of detecting and blocking these and other modern, advanced email-borne threats. The economics of malicious macros also highlight the importance of looking beyond tactical responses and taking a strategic approach that incorporates threat intelligence. In order to understand the dynamics driving new threats, organizations must have access to comprehensive threat intelligence: seeing before the first link in the attack chain, so to speak, enables security teams and decision-makers to understand who is creating new threats, why, and how likely they are to be used by different actors. This is the only way to identify, adapt to and defend against new threats as they emerge.
