Half a million computers infected as Macro Malware makes a comeback

A recent Microsoft study has revealed that macro malware attacks have been rapidly increasing in number and intensity. In the last year alone, the number of active malware and infected machines has increased by over four times of the count in early 2014. These document based malware attacks are usually carried out through spam emails, arousing the user’s curiosity to open the infected attachment. Such attacks have infected over 500,000 unique machines, making macro malware a major threat once again.

Macro malware is mostly spread through spam emails. Users open the attached documents and enable the macro, thinking it is necessary to view the document properly. This allows the macro downloader to execute, and create a gateway for other malware to get into the system. As stated by Microsoft:

“When a malicious macro code runs, it either downloads its final payload, or it downloads another payload courier in the form of a binary downloader.”

The infection procedure is illustrated below:

Macro malware infection chain. Source: http://blogs.technet.com/

A Gateway to greater threats

Some of the main threats downloaded by recent macro downloaders include malware like Drixed, and the banking trojan Vawtrak. The downloaded malware packages have advanced capabilities including screenshot, video capture and launching man in the middle attacks. However, like most other malware, the primary goal of these threats is to steal sensitive information. Although macro malware is a worldwide threat, most recent attacks have been mostly targeting the U.S. and the U.K. The next most infected countries are Mexico, Poland, Italy, France and Germany.

Although macro malware comes disguised in the form of a document and can easily infect a computer, it still requires the user’s consent to execute. Microsoft noted:

“Macro threats, as payload couriers, seem to gain popularity as an effective infection vector. But unlike exploit kits, these macro threats require user consent to run.”

Despite that fact, the sheer number of infected computers shows that macro malware is a very large scale and serious threat. This is a surprising find in a time when we were beginning to think that document based macro malware is a thing of the past. In order to prevent getting infected through a macro downloader, users must ensure that they have up to date malware protection and be careful about enabling macros.

Have a nice (malware-free) day!

  • Flavia Auditore da Firenze

    There’s a typo in the malware name – it’s “Dridex” :P

    Otherwise, great writeup!

    • Fabian Wosar

      Dridex is the name the malware author gave the malware. It is common policy for a lot of AV companies to choose a name different from the malware author’s name when it comes to naming the malware family, in order to not give the malware author any credit. That is why Microsoft, which this blog post refers to, calls the infection Drixed.