It may have been a while since you’ve seen the viruses that once were a risk to Microsoft Word and Excel users in the 1990s. As threatening flaws in the programming language for Visual Basic for Applications (VBA), they peaked in the 1990s and levelled off around 2001.
Yet while VBA-related malware might seem like a relic of the past, Sophos Ltd. researcher Gabor Szappanos argues it’s not – it’s just reappeared in different forms. In fact, between March and May of 2014, the third-most prevalent document-based infection came from VBA downloaders, he wrote in his report.
However, it hasn’t reared its head again in the form of self-replicating viruses as it once did. Instead, it’s cropping up again as downloadable Trojans or backdoors, thanks to some of the vulnerabilities in Office. Using a combination of these VBA downloaders and some social engineering, hackers will use Office documents to deliver their malware.
“Current trends show that [hackers] have moved one step further into the Ofﬁce realm: they have discovered the long-forgotten VBA macros and added them to their repertoire,” Szappanos wrote. “When the aim is to infect a large number of users, good old social engineering never fails to deliver the results.”
What typically happens is that a user will receive some kind of document – for example, a Microsoft Word document. However, the way these VBA downloaders have been built is that they can’t be opened in any Office suite newer than 2007, since Office has disabled VBA macros by default.
To get around this, hackers will encourage users to disable the macros so they can see the full content of the document. For example, the document may look like a blurry transaction document, or it may be marked as confidential. Hackers will be as helpful as to provide arrows and instructions on how to enable the macros, therefore opening users up to infection. Once the document gets opened again, the code for the VBA downloader will execute.
With this discovery, Sophos researchers are warning users to be careful about what they download and what they open.
“There is no justiﬁcation as to why the content of a document can only be displayed properly if the execution of macros is enabled,” Szappanos wrote. “If you receive a document with this advice, be aware: you are probably being attacked.”
For the full report, head on over here.