Gridinsoft Logo

What is a Macro Attack: Symptoms & Examples

Macro is a small applet used in Microsoft Office to increase the interactivity of the document. The flaws of this format made it possible to exploit it for malevolent purposes.

Download Gridinsoft Anti-Malware

You may be interested in taking a look at our other antivirus tools:
Trojan Killer, and Online Virus Scanner.

» Macro Virus Attack
What is Macro Virus: Macro Attack Definition | Gridinsoft

What is Macro Attack?

April 19, 2023

Big names are usually trusted since most release high-quality software. But the apparent trend shows that the biggest breaches that lead to the harshest cyberattacks are discovered in the programs of those names. And Microsoft is not an exclusion - it is exactly the trendsetter.

A macro attack is a malicious code injection case, a script-based attack that comes as a macro instruction within a seemingly safe file. Hackers perform these attacks by embedding a malware-downloading script (most often) into macro-supporting documents. Nocuous application of macros relies on human vulnerabilities of ignorance and inattentiveness. There are several features of macro attacks that make them especially dangerous. However, there are also ways of effective prevention of such attacks.

What are Macros?

Macros are commands used within many applications to automatize routine processes and significantly broaden the program’s field of use. For simplicity, let’s take MS Office programs like Word and Excel as an instance. Malefactors most often use these files to conduct macro attacks, after all.

There are a lot of functions that you can perform on the data in Word, let alone Excel. By creating and running a macro, you can list a set of commands to describe a frequently repeated procedure and execute them effortlessly, sparing a lot of time. Macros allow addressing external resources to parse data from other files on your machine or even accessing the network to download items from remote servers.

Programmers and advanced users employ different programming languages to write macros, but the language most widely used in attack-involved applications is Visual Basic for Application (VBA). Not only Microsoft Office files can serve as carriers for malicious macros. MS Office analogs like OpenOffice and LibreOffice also allow macros and use relevant scripting languages to create them: OpenOffice Basic and LibreOffice Basic, respectively. Of course, not only office programs feature macros. However, cybercriminals often use office files for macro attacks, and we explain why.

How does Macro Virus Work?

The easiest way to conduct an attack through macros is to embed a downloading script into a harmlessly-looking file. There can be other harmful payloads, not necessarily virus downloads. For example, executing a PowerShell script that will remove files from your hard drive or something like that is a potential threat. But modern hacking rarely resorts to such things. Vandalism is unlikely because it is not lucrative at all. Criminals, on the contrary, would rather steal information from you to sell it, encrypt your data to extort ransom, infect your machine with cryptocurrency miners, or exploit your endpoint in other ways for their benefit. All these scenarios imply the injection of extraneous software into your system. And macros are good at that.

Therefore, virus downloading is the most likely use of macros in the attack. However, hackers may use other commands in macros that will play a support role in a complex attack. For example, a simple command like sending a harmless file by email to all addresses in a contact list, considering that the addressees also open the file with the same effect, may cause unpredicted consequences as mail servers’ denial of service. Such an attack (spread of the Melissa virus) happened in 1999.

What Makes Macro Attacks Especially Dangerous?

Macro attacks can be a pain in the neck for security teams since they possess some properties that make them hard to track and hard to stop from spreading.

  • Easy-spreading. Macros work on different operating systems. As they land on a machine, they can spread similarly to computer viruses and Internet worms. The macro can contain commands to alter other files and even file templates. That makes any file created on the infected machine a threat. For example, macros can also establish a network connection to spread malicious files via email.
  • Can be fileless. Malefactors can write macros so that there will be no trace left of their presence on the computer's hard disk or any other storage. It makes macro attacks an actual instance of a file-less attack whose code only exists in RAM, not on the victim machine’s drive (as a file or in any other form).
  • Easy to obfuscate. There are plenty of algorithms to obfuscate macros code. Obfuscation is not encoding, it is a much simpler procedure, but it is enough to make the text either unreadable to a human analyst or turn it into a hell of a puzzle before one can say whether the macros used are malignant.

When User is a Vulnerability

Macro attacks exploit arguably the most dangerous vulnerability in cyber security: a human user. Lack of computer literacy and inattentiveness make users an easy target for hackers and allow criminals to expect user execution of their malignant package. Criminals need to deceive users twice – at first, to make them download a file with macros, and then – to make them allow macros execution. There are various tricks hackers can resort to, but they are mostly the same as in most phishing and malware-spreading campaigns.

The letter the user receives without expecting it might contain a fake notification about a pending delivery, due payment, money transfer, or something more inventive, like copyright infringement. Spoofing of the letterhead and email address is a frequent technique to accompany these letters. Scammers usually present a file enclosed in the message as a document with complete information accompanying a summary shown in the letter body.

Baits to activate macros inside the already downloaded document may vary, but one of the most widespread lures is the requirement to enable scripts to be able to view the file created in a newer version of the program (total scam, but non-technical people may buy into it).

What Can Prevent Macro Attacks?

Ways to protect from macro attacks are very similar to defensive measures against other hacker attacks because there is hardly an attack that does not involve deception. Anti-macro-attack protection is directed three-wise.

Application Policy

The fact that you need to press a button to allow macros is already a security measure. Managers can add to it by prohibiting macros, except for users with administrator privileges. Moreover, there are many settings and options in operating systems and applications that effectively limit macros' use.

Education and Vigilance

Like in phishing attacks, most of the hacker’s tricks and deceptions for macro attacks hold the victims’ low awareness of what is possible and what is impossible in the cyber world. Understandably, it is hard to give proper education to yourself and your employees quickly. However, there are safety rules that anyone can learn pretty fast. One of them is clear and simple: never follow links or download files received from suspicious senders.

Security Software

Installing an antivirus solution is not a direct way to reflect macro-based attacks, but it is significant support in organizing protection. Firstly, security programs like GridinSoft Anti-Malware can detect many malignant files with macros. Secondly, even if a malignant script leads to downloading of malware, an antivirus program will deal with the pest upon its arrival.

Frequently Asked Questions

What is a macro in cyber security?
From a cybersecurity point of view, the macro is a kind of virus written in macros, an applet embedded in software applications such as Microsoft Office. These applets are convenient since they allow users to automate tasks with a few keystrokes and improve workflow. Unfortunately, their execution environment is vulnerable, and may lead to macro malware execution.
How does the macro virus spread?
Its code can also be downloaded to users' computers after they click on malicious links in advertising banners or URLs. Additionally, a huge share of macro virus distributions is after email spam. Threat actors who perform the spear phishing campaigns specifically mask their message to look as realistic as possible, and add an infected file. The main execution environment for macro malware is MS Office apps and similar solutions that are compatible with macros and other Office applets.
Why are macros malicious?
Since anti-viruses usually do not track macros, considering them benign by default, and the macros execution environment in MS Office has many vulnerabilities, macro viruses can easily skip the restriction and act in a live system. In addition, it is highly probable that the proactive protection of anti-virus software may ignore macros, considering them useful. Although macros are disabled by default in Windows, hackers may trick users into turning it on, allowing macros to run. To prevent the macro attack, you should manually scan the suspected file.
What can prevent macros attack?
Using files’ digital signatures, as well as regular software updates. Digital signatures are one of the best ways to protect your computer from macro viruses. These signatures identify the source of the download or the file's author, so you know if the files you're downloading came from a trusted source and have not been tampered with. In addition, regularly updating the security software on your computer will better protect you from new types of macro viruses being created.