Hackers like being efficient as much as any programmer, so it’s common for them to recycle and reuse attack methods that work. That’s why the rush of macro-less malware we saw in late 2017 might’ve seemed familiar to anyone who studied traditional macro malware like the Melissa virus from the late 90s. One of our security researchers, Marc Laliberte, wrote a guest article for Help Net Security explaining how macro-less malware works and why it’s a new variation on an old theme.
Macro malware used Microsoft Word macros to embed malicious Visual Basic code directly into a Word document. Macro-less malware uses a Microsoft protocol called Dynamic Data Exchange to run the malicious code. Both these attacks present a similar prompt that the user needs to click for the malicious code to run. Here’s a brief excerpt from Marc’s article describing these prompts:
With Microsoft Office 2003 and later, Microsoft changed macro warning prompts to highlight their security implications, using yellow shields and prominent “Security Warning” messages. DDE execution prompts however, are simple grey boxes, sometimes with no mention of security, that ask users “This document contains links that may refer to other files. Do you want to update this document with the data from the linked file?” In other words, DDE is now handled similarly to how traditional macros were handled 20 years ago back in Office ’97. New attack method, but the same user interaction.
Macro-less malware is a good reminder that there’s no real substitute for good user education in infosec. Read Marc’s complete article on Help Net Security and learn more about malware reuse and password-protected Office files here on Secplicity.