ThreatList: Microsoft Macros Remain Top Vector for Malware Delivery

Attacks using malicious Microsoft macros, always a popular method for compromising target machines, are more virulent than ever, accounting for 45 percent of all delivery mechanisms analyzed in August.

Top Malware Delivery Mechanisms in August

Just behind this tried-and-true method lies the Microsoft Office Memory Corruption Vulnerability (), a bug that allows the attacker to perform arbitrary code-execution. In a report released Thursday from Cofense intelligence, it was shown to responsible for 37 percent of malware delivery last month, despite having been patched since last November.

The remaining 18 percent of delivery mechanisms spotted in August is mainly made up of batch scripts, PowerShell scripts and downloaders for Microsoft Windows scripting component () files (often seen in games). These all trail far, far behind the two leading vectors, with less than 6 percent of attacks each.

The report shows that weaponized Microsoft Office documents delivered via email maintain their strong hold as the “delivery mechanism du jour” – and notably, not just for the low-hanging fruit types of campaigns that make use of spray-and-pray mass spam efforts.

Macros, of course, make a lot of sense for delivering a malicious payload to the endpoint because they they can be allowed with a simple, single mouse-click on the part of the user when prompted. And, although Microsoft disables them in Microsoft Office by default, some enterprises have turned them on, so a user may have no other indication that anything is amiss.

“This makes it almost trivial to launch the first stage of an infection chain,” said Cofense researcher Aaron Riley. “Macros, used as such, are embedded Visual Basic scripts typically used to facilitate either the download or direct execution of further payloads.”

Cofense found that while the macro approach is easy to execute and has an extremely low barrier-to-entry, the malware being delivered includes the most malignant out there, including Geodo (accounting for the majority of the observed macro-delivered payloads), Chanitor/Hancitor (the second-most delivered payload), AZORult and GandCrab – along with more commodity fare like TrickBot.

“The range of different types of malware, from simple bots to ransomware, shows that mature and amateur operators alike are using this vehicle to get the payload to the endpoint,” Riley noted.

The analysis also uncovered that, almost as prevalent as macros, the CVE-2017-11882 vulnerability found in the Microsoft Office Equation Editor Component is the second-most used attack vector for delivering malware.

“The vulnerability resides in the Equation Editor Component which, when used, runs as its own process (eqnedt32.exe),” Oleg Kolesnikov, researcher at Securonix, explained to us recently. “Because of the way it was implemented, it doesn’t support Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR). A malicious document exploits the vulnerability to execute a command.”

The Microsoft Office Memory Corruption Vulnerability (CVE-2017-11882) is being used in the wild by the Osiris banking trojan, the FELIXROOT backdoor malware, and a legitimate tool that’s being abused as spyware called Imminent Monitor – among many others.

The takeaway? Though new types of document attacks are emerging that target inboxes and do not require macros to trigger an infection chain – and even though stealthy approaches using lightweight scripts are on the rise, for now, macros are still tops in cybercriminals’ playbooks, along with betting on unpatched machines. So, basic security hygiene remains, for now, the best first defense for users.