Close

Request Demo

BUFFERZONE is available to Enterprise companies only. Please fill out the form below and we’ll contact you shortly


    Blog

    Back

    Macro Malware Strikes Again – and How You Can Avoid Getting Hit

    By BUFFERZONE Team, 3/02/2016

    In their quest to hack as many victims as possible while expending the least amount of effort, some cyber criminals have decided that instead of creating sophisticated and complex new malware, it’s far simpler to browse through their “Malware’s Greatest Hits” collection, and unleash an old standard for a new generation: macro malware.

    The Allure of Macro Malware: It Works

    Macro malware first reared its malicious head about 20 years ago – which in cyber threat time, makes it prehistoric. However, as noted above, cyber criminals are going retro for the only reason that ever matters to them: it’s working. Some of the recent grizzly cyber crime scenes include England, where victims lost more than $4 million, and Ukraine, where in separate macro malware attacks a television station and the electric power industry were targeted; the latter affecting hundreds of thousands of homes and businesses.

    And for those who think that macro malware is just stopping by for a short, threatening visit: think again. Softpedia reports that security companies around the world are spotting up to 100 samples each month. And McAfee has included macro malware on its list of threats to watch for in 2016, noting that: “Today’s macro malware developers are using common social engineering techniques to turn unwitting enterprise users into victims.”

    The Macro Malware Journey

    For those unfamiliar with these “common social engineering techniques”, here is typically how macro malware works:

    • Cyber criminals create a malicious BASIC program using Microsoft VBA code, and add it to a Word document.
    • Next, they launch spam email campaigns to lure unsuspecting victims into opening the file. Because the file is a .doc and not an .exe, victims don’t perceive a threat. What’s more, the documents are usually ordinary, such as an invoice. Sometimes the emails are personalized as well (e.g. name, job title, etc.).
    • Once victims open the attachment, the VBA goes online, connects to a Command-and-Control server, and downloads a malicious .exe file – which could be a Trojan (e.g. Dridex, Dyreza, Zbot, BlackEnergy, etc.), ransomware (e.g. CryptoWall), or other malware. All of this happens automatically, and victims have no idea that something is wrong.
    • The malicious .exe continues running in the background after the document is closed, and even after victims logout or reboot their system.

    The Long & Winding (Cyberthreat) Road

    Interestingly, there is a bit of a modern twist that has been added to the standard macro malware recipe: in order to evade antivirus software, the malware is taking longer to execute, and it is also following non-traditional threat patterns (what Softpedia refers to as “long as time-wasting loops”).
    Yet, even with this innovation, macro malware is the same old story: infect an endpoint, download malware, steal data, transfer to the network, and infect even more endpoints and servers. We have seen this before, and we will see it again – because, as noted, it works.
    Fortunately, there is an advanced protection solution to keep this ancient threat – and any of its modern successors – safely out of the picture: a virtual container solution.

    Virtual Containers: Macro Malware’s Last Stand

    A virtual container solution resides on the endpoint, and isolates all email attachments – whether they are .doc files, excel files, PDFs, or anything else – from the hard drive and memory. As such, even when (would-be) victims open a VBA, the threat cannot transfer to the endpoint, and from there make its way to the network. It is trapped in the virtual container, and can be wiped clean by IT staff — either before or after they lecture end users on what they should not be downloading!

    Furthermore, BUFFERZONE goes beyond other application isolation solutions by providing a dedicated container for email attachments. The email container is separate from the container used for web browsers, and is “locked down” to prevent exfiltration of potentially sensitive data in an attachment. With BUFFERZONE, employees can securely open attachments that contain personally identifiable information (PII) or other sensitive data, without risk of data leakage.