VBA purging on a rise
In this technique, malicious Office documents containing VBA code are saved within streams of Compound File Binary Format (CFBF) files, with VBA macros (MS-OVBA) saving VBA data in a hierarchy including various types of streams.
The VBA code is saved inside module streams, along with CompressedSourceCode (VBA source code compressed with a proprietary algorithm) and PerformanceCache (P-code – compiled VBA code).
Generally, Office applications access the former with the code being compiled with an app having their architecture and version. Or else, the compressed source code will be decompressed, compiled, and executed.
It has been observed that the detection rates for any VBA purged malicious document is around 67% less in comparison to the malicious document created using normal VBA code.
Besides the new VBA Purging attacks, several attackers have been observed using VBA code in malicious Microsoft Office documents.
In early-December, a macro-based delivery chain was used by DeathStalker, which was eventually used to run PowerPepper and set up its persistence.
In another attack, a spy campaign spreading Bandook Trojan was found using a template document including a VBA code.
An open-source tool
FireEye, a cybersecurity company, has released OfficePurge tool that supports VBA purging of Excel (.xls), Publisher (.pub), and Word (.doc) documents. In addition, it ..