Taking Advantage of Worker Habits

Wednesday, September 30, 2015 @ 01:09 PM gHale

More hackers are turning to Visual Basic as a way to deliver their malware using Microsoft Word documents, a researcher said.

By hiding Visual Basic for Applications (VBA) code inside Word files, attackers are taking advantage of the working habits of millions of employees around the world, who regularly receive and open Word documents without ever thinking twice about it, said Graham Chantry, a researcher at Sophos.

Spear Phishing Jumps on Old Word Hole
Fighting Off the ICS Pivot Point
German Steel Mill Attack: Inside Job
Stuxnet Loaded by Iran Double Agents

VBA is a programming language developed by Microsoft to help programmers create Windows applications using an easy-to-understand coding syntax.

There are hundreds of VBA malware templates on the Dark Web which attackers can download, bottle up inside .doc or .docx files, and then send them to victims via spam or spear-phishing campaigns, Sophos researchers said.

In fact, the number of new VBA malware samples Sophos discovers each month is between 50 and 100.

In most cases, the malware only acts as a downloader for more potential threats, mainly because it is easier to bundle it inside Word documents than using other more complex exploits like the Word macro vulnerability, the researchers said.

Most of the time, VBA malware ends up used to download the Dridex malware, the CryptoWall ransomware, or other types of malware.

Other than hiding to make reverse engineering even harder and more time-consuming, researchers also started seeing the VBA malware code making unusual calls to lesser used system functions, calls which also ran in very long and time-wasting loops.

The purpose of this operation was to make the malware code execute in a much longer timeframe, which would make it very hard for antivirus engines to detect it as malicious.

By taking more time to scan, some antivirus solutions would drop the scanning operation due to limited resources or because of built-in procedures that would deem the scan as inconclusive. An antivirus vendor would like to avoid situations where their product scans a file for a few minutes or hours, but an attacker has everything to gain, even if their malware executes after the antivirus gives up.