Macro-based Malware Surged in December 2014, says Microsoft

According to MMPC (Microsoft Malware Protection Center), online threats in remarkable numbers have been attacking during December 2014 as they utilized macros for distributing malicious software through social engineering or spam, published threatpost.com dated January 5, 2015.

The employment of macros typically enables frequently utilized functions within Office in the automatic way. Infections from macro remained unchanged as also near zero everyday till December 4. During the middle of December, the infections shot up recording a peak of close to 8,000 incidences spotted on 17th December. But when Microsoft deactivated macros via the process of mechanization, infections dropped. The macros apparently targeted Microsoft consumers most prominently within United Kingdom and USA.

A socially-engineered tactic plays during the attack's initial stage that deceptively gets end-users to activate macros onto their PCs. For that, a spam mail regarding a finance topic arrives in the end-user's mailbox. The message carries one malware-laden attachment pretending to be certain Microsoft Office file. Actually, this attachment tricks the end-user in a way that he would activate macros. Once done, a payload is downloaded that's a Trojan downloader.

Indeed, there are dual trojans spread within the current campaign. These are TrojanDownloader:O97M/Tarbir and TrojanDownloader:W97/Adnel.

The junk electronic mails distributed display finance-related topics that are "Payment Details," "Invoice as requested" or "ACH Transaction Report."

Security Researcher Alden Pornasdoro at MMPC explains that the spam mail having the alleged finance related content, the instructional file and one apparently useful file-name, all three together make it persuasive enough for a gullible end-user to strike enter on the "Enable Content" option. Techworm.net reported this dated January 5, 2015.

Upon downloading of the Trojan installer, other more lethal malicious programs get installed on the contaminated PCs.

According to Microsoft, most orders and invoices end-users send do not require macros, but suppose end-users find such invoices/orders, they must exercise caution with them, like being selective about opening the kind of sheets or documents.

In the meantime, during 2014, Sophos too realized a rise in macro-oriented malicious software.

Consumers should be careful about macros that are either unsigned or arrive from dubious entities, Microsoft advises.

» SPAMfighter News - 1/13/2015