Sign In Register. Sign Out Sign In Register. Latest Insider. Check out the latest Insider stories here. More from the IDG Network. Why Excel 4. The most common way that attackers do this is through code obfuscation. Macro source codes are easy to obfuscate, and a plethora of free tools are available for attackers to automatically do this.
This results in polymorphic malware, with evolving obfuscation patterns and multiple obfuscated variants of the same malicious macro. Or why hide at all? A small piece of malicious code can be embedded somewhere in a huge legitimate source and keep a low profile.
How can antivirus and other security solutions cope? Today, antivirus solutions can extract and scan the obfuscated macro source code from an Office document. Antimalware Scan Interface AMSI is an open interface available on Windows 10 for applications to request, at runtime, a synchronous scan of a memory buffer by an installed antivirus or security solution.
Any application can interface with AMSI and request a scan for any data that may be untrusted or suspicious. If the content submitted for scan is detected as malicious, the requesting application can take action to deal with the threat and ensure the safety of the device.
To learn more, refer to the AMSI documentation. Over the years, we have been steadily increasing our investments in providing security solutions with deeper visibility into script-based threats.
Insights seen via AMSI is consumed by our own security products. The new Office and AMSI integration is yet another addition to the arsenal of protection against script-based malware. The Office VBA integration with AMSI is made up of three parts: a logging macro behavior, b triggering a scan on suspicious behavior, and c stopping a malicious macro upon detection.
The VBA language offers macros a rich set of functions that can be used to interface with the operating system to run commands, access the file system, etc. These interfaces are instrumented such that the behavior of a macro is trapped and all relevant information, including the function name and its parameters, are logged in a circular buffer.
The logged calls can come in two formats:. Invoked functions, methods, and APIs need to receive the parameters in the clear plaintext in order to work; thus, this behavioral instrumentation is not affected by obfuscation. This instrumentation thus reveals a weak spot for macro codes; the antivirus now has visibility on relevant activity of the macro in the clear.
When a potentially high-risk function or method a trigger ; for example, CreateProcess or ShellExecute is invoked, Office halts the execution of the macro and requests a scan of the macro behavior logged up to that moment, via the AMSI interface. The AMSI provider e. The list of high-risk functions or triggers are meant to cover actions at various stages of an attack chain e.
The behavior log sent over AMSI can include information like suspicious URLs from which malicious data was downloaded, suspicious file names known to be associated with malware, and others.
Also discovered by Malwarebytes is a PHP-based panel nicknamed "Ekipa" that's used by the adversary to track victims and view information about the modus operandi that led to the successful breach, highlighting successful exploitation using the IE zero-day and the execution of the RAT. However, it could also have been used as a false flag. Sign up for cybersecurity newsletter and get latest news updates delivered straight to your inbox daily.
Found this article interesting? This allows them to run automatically when the documents are open. Computer viruses are about as diverse as computer users. If a macro virus has infected these files, it has the potential to damage the document or other computer software. When an infected file is opened, the macro virus releases a sequence of actions that begin automatically.
These actions cause damage to the computer and its applications. Macro viruses are often spread through phishing emails containing attachments that have been embedded with the virus.
Because the email looks like it came from a credible source, many recipients open it. Macro viruses spread whenever a user opens or closes an infected document. They run on applications and not on operating systems. The most common methods of spreading macro viruses include:. Macro viruses are programmed to perform lots of tasks on computers. For example, a macro virus can create new files, corrupt data, move text, send files, format hard drives, and insert pictures.
One of their more common missions? Delivering destructive viruses and malware. A now-classic example of a macro virus is the Melissa Virus from
0コメント