Proofpoint has today issued a new report which exposes the economic and technical drivers behind the recent rise in malicious macro campaigns.
Since late 2014, security researchers and organizations have witnessed massive unsolicited email campaigns bearing what at first seemed to be a “throwback” threat. Microsoft Office document attachments with malicious macro code that could download malware onto the client system.
Deceptively simple and flexible malicious macros have returned in a big way and are driving today’s massive unsolicited email campaigns and tricking end-users into clicking.
Proofpoint’s report examines the technical and business drivers behind the recent explosion in malicious macros and reveals that from a cost perspective, malicious macros deliver the most ‘bang for the buck’ because they combine lower up-front and maintenance costs with higher effectiveness to create a ‘killer app’ for cybercriminals.
The full report can be downloaded at the following link, however key takeouts include:
- For malware to be cost-effective, it must first and foremost be effective. The ability of malicious macros to consistently evade defenses and entice end-users to click is a critical aspect of their success and attractiveness to threat actors. The main contributors to the effectiveness of malicious macro exploits are:
- Ability to evade both signature-based and behavioural defenses
- Ease of tricking end-users into enabling the malicious content in the document
- Cheap and easy to create new versions to stay ahead of detection techniques
- They do not exploit vulnerabilities that can be patched; instead, the propensity of end-users to click is the vulnerability
- Proofpoint observes dozens of new or modified malicious macros daily. While there are many custom or one-off macros, we have observed at least four to five established sellers who regularly market their services to multiple actors.
- Malicious macros are cost-effective: The budget for a malicious document (or “maldoc”) campaign can range from zero to US$1,000. In addition to the services of a few established sellers such as Xbagging and MacroExp, there are many open-source examples for cost-constrained or do-it-yourself actors of how to weaponize a Microsoft Word document with a malicious macro.
- Malicious macros are effective: Unlike attachments that exploit known or zero-day vulnerabilities, malicious macro attachments may lead to higher success rates because they do not rely on the presence of an unpatched vulnerability in Microsoft Windows or office, or other common applications.
- While the campaigns themselves have expanded their repertoire beyond Word documents to include other types of Microsoft Office document types – primarily Excel – and templates such as HTML and XML, malicious messages with attachments remain a prominent