Delivering malware, a cybercrime practice that spans every skill level and adversarial motivation, can take various forms. But all too often, malicious payloads are served up via macros in productivity files, accounting for much of the overall malware delivery around the world. Why? Organizations and webmail providers typically don’t block these types of files, and by hiding malcode inside macros, cybercriminals can conceal their intentions until a potential victim unwittingly unleashes the payload.
Macros are an integral part of office productivity software, such as document, presentation and spreadsheet creation programs. Their role is inherently legitimate: They help users automate sequences of common actions they wish to take often, recording the flow and then launching it with the click of a button. But while macros were created to help improve efficiency, it wasn’t long before attackers found a way to abuse this feature.
IBM X-Force research frequently encounters the use of malicious macros in the investigation of incidents, threat hunts and intelligence research. Per X-Force Incident Response and Intelligence Services (IRIS), at least 22 percent of reported campaigns in April 2019 delivered malware via booby-trapped macros. The number fluctuates and can easily reach more than a third of campaigns as attackers vary their malspam volume over time.
Given the continuous prevalence of this threat tactic, it is important for security teams to understand its usage, how to protect networks against such attacks and the methods that defenders can leverage to help detect malicious macro activity.
Some Malicious Macro History
The weaponization of macros happ ..