Attackers Seek New Strategies to Improve Macros' Effectiveness

Attackers Seek New Strategies to Improve Macros' Effectiveness

The use of malicious macros to infect Windows systems grew significantly in the past year, as attackers found ways to bypass — or convince users to click through — the warnings meant to defend systems.

The latest scheme to infect computer systems uses an old-school lure: a receipt. Reminiscent of technical-support scams, the recent BazarCall campaign spams out a variety of invoices or receipts that essentially claim the target will be charged tens or hundreds of dollars for a subscription or product and to call a given number if the recipients wants to opt out, says Chester Wisniewski, principal research scientist for anti-malware firm Sophos.

"You then get connected to an Indian call center, where a person directs you to a Web site to download an infected Word document with a macro and talks you through enabling the macros," he says. "And because of that human element, I'm suspecting that they are getting a higher success rate."

Microsoft Office documents with malicious macros — often called "maldocs" — have resurged as a vector to infect systems, growing in the last half of 2020 to account for more than a third of malicious attachments and, at one point in September 2020, accounting for almost 80% of malicious attachments, according to data from Sophos.

Macros have had a long history of use by attackers, with many early viruses and worms — including the Melissa virus — using Office documents with malicious macros to spread. Both Microsoft Word documents and Excel spreadsheets are equally popular among attackers, and modern cybercrime services allow attackers to easily create maldocs. Some macros even attackers strategies improve macros effectiveness