What is Macro Attack?
November 03, 2022
A macro attack is a malicious code injection case, a script-based attack that comes as a macro instruction within a seemingly safe file. Hackers perform these attacks by embedding a malware-downloading script (most often) into macro-supporting documents. Nocuous application of macros relies on human vulnerabilities of ignorance and inattentiveness. There are several features of macro attacks that make them especially dangerous. However, there are also ways of effective prevention of such attacks.
What are Macros?
Macros are commands used within many applications to automatize routine processes and significantly broaden the program’s field of use. For simplicity, let’s take MS Office programs like Word and Excel as an instance. Malefactors most often use these files to conduct macro attacks, after all.
There are a lot of functions that you can perform on the data in Word, let alone Excel. By creating and running a macro, you can list a set of commands to describe a frequently repeated procedure and execute them effortlessly, sparing a lot of time. Macros allow addressing external resources to parse data from other files on your machine or even accessing the network to download items from remote servers.
Programmers and advanced users employ different programming languages to write macros, but the language most widely used in attack-involved applications is Visual Basic for Application (VBA). Not only Microsoft Office files can serve as carriers for malicious macros. MS Office analogs like OpenOffice and LibreOffice also allow macros and use relevant scripting languages to create them: OpenOffice Basic and LibreOffice Basic, respectively. Of course, not only office programs feature macros. However, cybercriminals often use office files for macro attacks, and we explain why.
How does Macro Virus Work?
The easiest way to conduct an attack through macros is to embed a downloading script into a harmlessly-looking file. There can be other harmful payloads, not necessarily virus downloads. For example, executing a PowerShell script that will remove files from your hard drive or something like that is a potential threat. But modern hacking rarely resorts to such things. Vandalism is unlikely because it is not lucrative at all. Criminals, on the contrary, would rather steal information from you to sell it, encrypt your data to extort ransom, infect your machine with cryptocurrency miners, or exploit your endpoint in other ways for their benefit. All these scenarios imply the injection of extraneous software into your system. And macros are good at that.
Therefore, virus downloading is the most likely use of macros in the attack. However, hackers may use other commands in macros that will play a support role in a complex attack. For example, a simple command like sending a harmless file by email to all addresses in a contact list, considering that the addressees also open the file with the same effect, may cause unpredicted consequences as mail servers’ denial of service. Such an attack (spread of the Melissa virus) happened in 1999.
What Makes Macro Attacks Especially Dangerous?
Macro attacks can be a pain in the neck for security teams since they possess some properties that make them hard to track and hard to stop from spreading.
- Easy-spreading. Macros work on different operating systems. As they land on a machine, they can spread similarly to computer viruses and Internet worms. The macro can contain commands to alter other files and even file templates. That makes any file created on the infected machine a threat. For example, macros can also establish a network connection to spread malicious files via email.
- Can be fileless. Malefactors can write macros so that there will be no trace left of their presence on the computer's hard disk or any other storage. It makes macro attacks an actual instance of a file-less attack whose code only exists in RAM, not on the victim machine’s drive (as a file or in any other form).
- Easy to obfuscate. There are plenty of algorithms to obfuscate macros code. Obfuscation is not encoding, it is a much simpler procedure, but it is enough to make the text either unreadable to a human analyst or turn it into a hell of a puzzle before one can say whether the macros used are malignant.
When User is a Vulnerability
Macro attacks exploit arguably the most dangerous vulnerability in cyber security: a human user. Lack of computer literacy and inattentiveness make users an easy target for hackers and allow criminals to expect user execution of their malignant package. Criminals need to deceive users twice – at first, to make them download a file with macros, and then – to make them allow macros execution. There are various tricks hackers can resort to, but they are mostly the same as in most phishing and malware-spreading campaigns.
The letter the user receives without expecting it might contain a fake notification about a pending delivery, due payment, money transfer, or something more inventive, like copyright infringement. Spoofing of the letterhead and email address is a frequent technique to accompany these letters. Scammers usually present a file enclosed in the message as a document with complete information accompanying a summary shown in the letter body.
Baits to activate macros inside the already downloaded document may vary, but one of the most widespread lures is the requirement to enable scripts to be able to view the file created in a newer version of the program (total scam, but non-technical people may buy into it).
What Can Prevent Macro Attacks?
Ways to protect from macro attacks are very similar to defensive measures against other hacker attacks because there is hardly an attack that does not involve deception. Anti-macro-attack protection is directed three-wise.
The fact that you need to press a button to allow macros is already a security measure. Managers can add to it by prohibiting macros, except for users with administrator privileges. Moreover, there are many settings and options in operating systems and applications that effectively limit macros' use.
Education and Vigilance
Like in phishing attacks, most of the hacker’s tricks and deceptions for macro attacks hold the victims’ low awareness of what is possible and what is impossible in the cyber world. Understandably, it is hard to give proper education to yourself and your employees quickly. However, there are safety rules that anyone can learn pretty fast. One of them is clear and simple: never follow links or download files received from suspicious senders.
Installing an antivirus solution is not a direct way to reflect macro-based attacks, but it is significant support in organizing protection. Firstly, security programs like GridinSoft Anti-Malware can detect many malignant files with macros. Secondly, even if a malignant script leads to downloading of malware, an antivirus program will deal with the pest upon its arrival.