CISOs with IT environments running older versions of Microsoft Office must upgrade immediately or risk the suite being used to spread malware using an old trick.
This warning comes from Cisco Systems’ Talos threat intelligence service, after it discovered several new documents created in Office that try to spread malware through Visual Basic macros.
Threat actors have for years used macros, which automatically run scripts, as a way of introducing malware to unsuspecting users downloading documents they think are safe. Running behind the scenes, the macros install malware or link to a command and control server that downloads malware.
Microsoft has tried to blunt that tactic in two ways:
- urging Office administrators and users to disable the automatic running of macros so users have to click on a warning first, or ensure users can’t enable macros. Hopefully, with awareness training, users will either not run the script or check with IT security;
- since July 2022, by changing the ability of Windows versions of Office and Office 365 to run macros automatically on downloaded files. According to Proofpoint, that’s been successful: The use of macro-enabled attachments by threat actors dropped 66 per cent in the nine month period between the time Microsoft announced it would block macros and when it actually started implementation.
However, in a blog this week Cisco Talos researchers said it recently found several macro-infected documents that had been uploaded to the Virus Total malware testing website that had been created by a framework called MacroPack. The files could deliver multiple payloads, including the Havoc and Brute Ratel post-exploitation frameworks, and a new variant of the PhantomCore remote access trojan.
Havoc and Brute Ratel are tools made for penetration testers, the report noted. However, tools made for testers and defenders are regularly used by threat actors. The best example is the Cobalt Strike tool.
A common feature in all of the malicious documents Cisco Talos took apart is the existence of four non-malicious VBA subroutines. These subroutines appeared in all the samples and were not obfuscated. The inclusion of the benign code is likely to lower the level of suspicion of the code generated by MacroPack, Talos researchers suspect.
Is this a new malware campaign by a threat actor? Maybe not. MacroPack is a framework created for Red Teams to test the defences of willing organizations, so the report says it is possible the examples it found were part of red teaming exercises. In fact, the researchers were able to confirm some of the samples were part of Red Team activities. Others, however, contained certain tactics and techniques that seem malicious.
At the very least, Cisco said, infosec pros should take the discovery as a reminder to update their Office suites to the latest version.
Note that while defenders use VirusTotal to upload suspect documents, a threat actor can use the site to see if an anti-virus engine can detect malware it created.
Four suspicious clusters of documents
Suspicious documents found by Cisco Talos include
- a purportedly encrypted renewal document from the US Nationwide Multistate Licensing Systems and Registry, which manages licences of US mortgage companies. The example uploaded to VirusTotal dates back to March, 2023
- a cluster of three files uploaded to VirusTotal from IP addresses in China, Taiwan, and Pakistan in May and June. They have similar lures aimed at users, with a generic Word document including a request to “enable content” – in other words, enable the running of a macro. All of the command and control IP addresses for the payloads go to a server in China’s Henan province;
- a cluster of documents with military themes linked to Pakistan and uploaded from two different locations within that country. One purported to announce new awards for certain officer ranks in the Pakistan Air Force. The other claimed to be a confidential document for a specific person, confirming their employment as a civilian research officer in Pakistan’s Air Force cyber team;
- an empty Excel workbook uploaded to VirusTotal from a Russian IP address. The macro launches a new instance of Excel with a new workbook that attempts to download and execute a file from a server. This server had a sample of the Golang-based PhantomCore backdoor. According to Cisco Talos, researchers at Kaspersky have attributed this backdoor to a Ukrainian hacktivist who allegedly tries to spy on Russian government and private sector organizations.
Microsoft offered this guidance to Office admins and users facing downloaded documents with macros, explaining that when an email attachment with a macro is received by Office versions later than mid-2022, a red security warning pops up explaining the macro has been blocked. There’s also a button labelled “Learn more” that goes to an article explaining the security risk of enabling the macro.