14 DAY TRIAL // Two malware pieces have been delivered to users in the UK and the US via malicious email campaigns relying on social engineering to trick users into enabling macros in their Microsoft Office programs.
Macros are simple instructions designed to help users in their work with components of the Office suite by allowing them to automate repetitive tasks. Cybercriminals have also seen the advantages of these scripts and relied on them to deliver malware.
Multiple countries are affected
Microsoft has acknowledged the risk potential of macros and turned off the option by default a long time ago; but even so, cybercriminals still rely on this method of distribution, resorting to social engineering to have the feature enabled by the victim.
The security researchers with the company noticed two email campaigns delivering malware downloaders Adnel and Tarbir this way.
“These recent campaigns are one example of an increasing trend of macro malware targeting home users and enterprise customers. These threats predominantly target our customers in the US and UK,” says Alden Pornasdoro in a blog post.
Although the two threats have been detected in several countries across the globe through the month of December 2014, infections were predominant in the United Kingdom (about 11,000 compromised computers) and the United States (almost 10,000 infections).
Other countries where compromises have been spotted are France, Japan, Australia, India, South Africa, Canada, Italy and Germany, but the number of incidents is less than 2,000.
Keep macros disabled to protect against the threats
The malware is included in email attachments claiming to be financial documents of different sorts, from fake invoices and transaction reports to orders or payment details in DOC and XLS formats.
When launched, the file opens in Microsoft Word or Excel and instructs the victim to turn on macros manually in order to access the information included. The trick is achieved by saying that the document has been created with a newer version of the Office program and macros need to be enabled. It is important to note that the malware will not execute if macros are not enabled.
“The combination of the instructional document, spam email with supposed monetary content, and a seemingly relevant file name, can be enough to convince an unsuspecting user to click the Enable Content button,” Pornasdoro says.
According to the researcher, the macro proceeds to download other malware pieces, including one detected by Microsoft security programs as Drixed. This is used by the cybercriminals to funnel in other threats, such as Ursnif, which can steal passwords available on the system.
