Attackers Split Words Coded in Macros to Evade Gmail Security Features

A few security solutions that Gmail maintains are designed to intercept malicious macros, but these security features can be evaded with the help of a technique which will be discussed later in this article.

To explain macros first-these are small codes embedded on Office documents that carry out several tasks in an automatic way, provided the computer-operator permits. Moreover, the workings of these tasks are also made easy with macros enabled. Consequently, macros from the beginning faced malware distributors' exploitation.

To make good of matters Microsoft intervened and stopped macros' automatic execution, while e-mail providers would search file-attachments to see if there are Office documents in them containing macros.

Researchers at security firm SecureState explain that Google mail instantly flags an Office file malicious when any macro is coded with one-or-more sensitive words. Gmail, which carried out certain tests, spotted one Excel document to be malicious because the macro was coded with the term "powershell" an extremely effective scripting utility of Microsoft. Now macros sometimes use the powershell feature for inter-relating with the existing operating system on the computer, which should be running only Windows OS. Virusguides.com posted this, July 20, 2016.

Coming to how Gmail's security features can be evaded. SecureState researchers found that the word-code in the macros should be split via placing part of it on one line and the remaining on the line below alternatively via making two separate portions of the word on the same line. So a hacker need only split the word 'powershell' in the manners described and use the feature.

Moreover, Mike Benich, researcher with SecureState believes Google mail labels a macro embedded onto an Excel file as malicious if it starts off a utility in Excel called "workbook open." He claims as having evaded Gmail's security feature also via shifting his ware underneath a button. According to him, an end-user who has enabled his macros alternatively edited the content of his infected Excel file wouldn't sufficiently help the attacker to run his malware immediately. It would run only when the end-user is made to press another button which requires some social engineering on the Excel file.

» SPAMfighter News - 7/25/2016