Hackers are returning to a decade-old method for inserting malware into people’s machines, according to a recent report from security solutions company Sophos Ltd.
In the period between March and May of 2014, Sophos researchers found that the third most prevalent document-based infection came from Visual Basic for Applications (VBA) downloaders. Back in the 1990s flaws in the programming language were a favourite target of cyber crooks although the attacks appeared to level off around 2001.
Unfortunately VBA-related malware have reappeared in different forms, according to Gabor Szappanos, a researcher with Sophos.
“Current trends show that [hackers] have moved one step further into the Ofﬁce realm: they have discovered the long-forgotten VBA macros and added them to their repertoire,” Szappanos wrote. “When the aim is to infect a large number of users, good old social engineering never fails to deliver the results.”
However, it hasn’t reared its head again in the form of self-replicating viruses as it once did. Instead, it’s cropping up again as downloadable Trojans or backdoors, thanks to some of the vulnerabilities in Office. Using a combination of these VBA downloaders and some social engineering, hackers will use Office documents to deliver their malware.
What typically happens is that a user will receive some kind of document – for example, a Microsoft Word document. However, the way these VBA downloaders have been built is that they can’t be opened in any Office suite newer than 2007, since Office has disabled VBA macros by default.
To get around this, hackers will encourage users to disable the macros so they can see the full content of the document. For example, the document may look like a blurry transaction document, or it may be marked as confidential. Hackers will be as helpful as to provide arrows and instructions on how to enable the macros, therefore opening users up to infection. Once the document gets opened again, the code for the VBA downloader will execute.
With this discovery, Sophos researchers are warning users to be careful about what they download and what they open.
“There is no justiﬁcation as to why the content of a document can only be displayed properly if the execution of macros is enabled,” Szappanos wrote. “If you receive a document with this advice, be aware: you are probably being attacked.”