Your ‘new’ old threat: macro-enabled documents

Malware attacks may have decreased in the last quarter of last year, but a new global trend has been unfolding: the use of macro-enabled documents for malware delivery.

This was one of the findings revealed by Cofense, provider of phishing defence solutions, in its recently released Q4 2019 Malware Trends Report. The report gives insight into the malware families, delivery methods and campaigns that were prominent globally during the past quarter. Cofense is distributed throughout sub-Saharan Africa by Networks Unlimited Africa.

“The intention of a macro is to assist with automating repetitive tasks,” says Stefan van de Giessen, general manager for cybersecurity at Networks Unlimited Africa. “Macros can be found in Microsoft Office documents such as Word, Excel and PowerPoint, containing embedded code written in a programming language known as Visual Basic for Applications (VBA).

“However, threat actors can write VBA code to create macros that do harmful things and are embedded in documents that are then distributed online. Despite awareness and security efforts, macro-enabled documents continue to find their way into users’ inboxes.

“These documents are an initial intrusion vector for several malware families, such as the Emotet trojan. Few companies can completely disable macros, as they provide a valuable function in many environments.”

According to Wikipedia, Emotet is a banking trojan and botnet that distributes malicious emails to harvest financial information by injecting computer code into the networking stack of an infected Microsoft Windows computer, allowing sensitive data to be stolen via transmission.

Emotet’s disguises in distributing malicious e-mails during Q4 2019 included the delivery of fake financial invoices and invitations to a Christmas party, as well as other phishing bait. The Cofense report notes that other malware families were not as prolific, decreasing in volume as the quarter went on.

“As the report noted, Emotet is one of a number of threats currently facing organisations,” says Van de Giessen, “and so it is imperative to understand the current phishing landscape, as well as its future evolutions, to help organisations protect themselves from security breaches.”

According to the Cofense report, Emotet is likely to continue its infections into 2020. The report noted: “On the malware front, Windows 7’s end-of-life will probably lead to the creation of new malware and look for targeted ransomware to continue growing. 2020’s election season may bring about more phishing, while geopolitical events can result in more cyber threats.”

The report also fingered the information stealer, Loki Bot, which took the top spot as the most prevalent non-Emotet malware, with the Agent Tesla keylogger in second place. It is possible that less-experienced threat actors have preferred Loki Bot over its competition because of its easy deployment and low maintenance, enabling more distribution with less effort.

Says Van de Giessen, “This all goes to emphasise, once again, that technology alone is not enough when we try to assist both individuals and organisations to fight against cybercrime. The consistent ethos behind Cofense’s solutions is to unite people with technology, offering human-focused phishing defence solutions which enable people to identify, report, and mitigate such threats as spear phishing and malware.”

• Access the full Cofense Q4 2019 Malware Trends Report here