Macros weaponized through Microsoft Office documents and targeted through email phishing are the preferred delivery method. “This makes it almost trivial to launch the first stage of an infection chain,” says Cofense researcher Aaron Riley. “Macros, used as such, are embedded Visual Basic scripts typically used to facilitate either the download or direct execution of further payloads.” The release of the report is either ironic or Microsoft knew something before its publication. Just yesterday, we reported on the company’s efforts to protect Office 365 from macro code attacks. Microsoft announced it is using Antimalware Scan Interface (AMSI) to combat VBA macros attacks. With the integration, apps will be protected by security protocols, including antivirus to prevent attack macros. As I discussed yesterday, Macro attacks are a relatively easy avenue for malware delivery. Microsoft recognizes this and confirmed malicious macros have been used for decades and increased in popularity in recent years. Because macro coding is an easy method, attackers are able to implement some of the nastiest malware in the wild. Some of the malicious content used in macros include malignant payloads like Geodo, Chanitor/Hancitor, AZORult and GandCrab. “The range of different types of malware, from simple bots to ransomware, shows that mature and amateur operators alike are using this vehicle to get the payload to the endpoint,” Riley adds.
Other Common Delivery Methods
Behind macro delivery, the second most popular attack method to access Windows 10 machines is CVE-2017-11882. This one is Microsoft’s own vulnerability, specifically a flaw in Microsoft Office Equation Editor Component. Known as a Corruption Vulnerability, this bug gives bad actors the ability to create arbitrary code. Cofense says this accounts for 37 percent of malware delivery through August. Below is Microsoft’s description of the vulnerability: “A remote code execution vulnerability exists in Microsoft Office software when the software fails to properly handle objects in memory. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the current user. If the current user is logged on with administrative user rights, an attacker could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. Exploitation of the vulnerability requires that a user open a specially crafted file with an affected version of Microsoft Office or Microsoft WordPad software. In an email attack scenario, an attacker could exploit the vulnerability by sending the specially crafted file to the user and convincing the user to open the file. In a web-based attack scenario, an attacker could host a website (or leverage a compromised website that accepts or hosts user-provided content) containing a specially crafted file designed to exploit the vulnerability. An attacker would have no way to force users to visit the website. Instead, an attacker would have to convince users to click a link, typically by way of an enticement in an email or instant message, and then convince them to open the specially crafted file.”