malware protection center...online email services can help prevent macro-based malware infection....
TRANSCRIPT
Page 1 of 15
Malware Protection Center
Macro malware:Summary
Macro malware:Statistics
Macro malware:Characteristics
Macro malware: Analysis
Macro malware:Mitigation threats
Prevalent
Macro malware: Summary
Old friends and new enemies2015 has so far continued much of the trend from 2014 – an increase in ran-somware infections and the resurgence of macro-based malware.
This month’s report focuses mostly on macro-based malware – malware that uses macros embedded in Microsoft Office files to sneak in further infection.
While 2014 saw these trends, 2015 has shown us just how insidious these types of malware are. Macro-based malware and ransomware infections are not only rising, but entering a maturity phase where we are seeing more sophisticated attempts to steal information and money, rather than the wild ‘sow your oats’ approach typically seen when a new type of malware enters the fray.
Macro-based malware uses what could be argued as user-consent prompt fatigue.
This fatigue is typified by frustrated users who are feeling bombarded with multiple claims on their attention and consent.
In the case of macro-based malware, it appears that users have become so ac-customed to clicking the Enable content or similar warning bars in Microsoft Office products, that they are now confident in being able to determine the perceived risk versus the potential gain.
If they receive a message that demands they open it to dispute a credit card charge, or to access a failed postal delivery, or any of the other quite legit-imate-sounding reasons these messages use, it’s only likely that a user’s curiosity might cause them to see greater gain than any risk.
In this way, macro-based malware can be considered to rely on passive social engineering. The malware authors rely on the fact that a user might click the Enable content warning without much thought about it.
The second aspect of this is the socio-cultural norms around security, privacy, and computers. As we enter further into the 21st century, governments and other organizations are realizing a greater need to protect their populations in the online world. To an extent, this can also lead to users feeling safe or righteous in performing behavior that, 20 years ago, was once considered risky (in other words, the perception of the risk has lowered).
SummaryOverview: Evolution of macro-based malware
StatisticsMacro-based malware infection across the globe
CharacteristicsDistribution patterns, symptoms of infection, and diagrams
AnalysisExamination of a macro-based attack
MitigationGeneral advice for mitigating the risk of infection from macro-based malware
Prevalent threatsTop malware detected by Microsoft security software over the past 30 days
Page 2 of 15
Malware Protection Center
Macro malware:Summary
Macro malware:Statistics
Macro malware:Characteristics
Macro malware: Analysis
Macro malware:Mitigation threats
Prevalent
Macro malware: Statistics
Macro-based malware affects large parts of the world. In particular the top four families for June had the following distri-bution (“share” is the percentage share for all macro infections):
BartallexCountry Distribution ShareCanada 49.19% 5.35%United States 20.49% 2.23%United Kingdom 6.60% 0.72%Japan 4.84% 0.53%China 2.75% 0.30%Australia 2.01% 0.22%Poland 1.82% 0.20%Mexico 1.74% 0.19%France 1.57% 0.17%Italy 1.13% 0.12%Total 100.00% 10.87%
AdnelCountry Distribution ShareUnited Kingdom 60.22% 32.78%France 7.91% 4.31%Canada 6.41% 3.49%United States 5.16% 2.81%Poland 4.07% 2.22%Hong Kong 3.82% 2.08%Japan 2.74% 1.49%Belgium 1.04% 0.56%Korea (South) 0.89% 0.48%Pakistan 0.87% 0.47%Total 100.00% 54.43%
DonoffCountry Distribution ShareIndia 43.47% 13.77%United States 15.27% 4.84%France 7.45% 2.36%United Kingdom 6.93% 2.19%Norway 4.99% 1.58%Thailand 2.78% 0.88%Poland 2.57% 0.82%Japan 2.46% 0.78%Italy 1.65% 0.52%Mexico 1.32% 0.42%Total 100.00% 31.68%
DrixedCountry Distribution ShareUnited Kingdom 32.57% 0.98%France 19.10% 0.58%United States 17.87% 0.54%Italy 4.41% 0.13%Belgium 3.63% 0.11%Poland 3.05% 0.09%South Africa 2.06% 0.06%Netherlands 1.70% 0.05%Croatia 1.44% 0.04%Spain 0.98% 0.03%Total 100.00% 3.02%
Page 3 of 15
Malware Protection Center
Macro malware:Summary
Macro malware:Statistics
Macro malware:Characteristics
Macro malware: Analysis
Macro malware:Mitigation threats
Prevalent
Over the past 30 days, we’ve seen the daily distribution between these four families remain static:
Over the past 12 months, the distribution of the macro families looks like this:
Page 4 of 15
Malware Protection Center
Macro malware:Summary
Macro malware:Statistics
Macro malware:Characteristics
Macro malware: Analysis
Macro malware:Mitigation threats
Prevalent
Adnel has remained as a top-hitting family, accounting for 50% of all macro families over the past year and within the past month. The share between the next three most detected families, however, has a more uniform distribution when seen across the past 12 months.
In the past 30 days, Bartallex had a large spike from one specific machine, which affected the overall distribution amongst the top 20 most infected countries, based on the number of reported infections:
Page 5 of 15
Malware Protection Center
Macro malware:Summary
Macro malware:Statistics
Macro malware:Characteristics
Macro malware: Analysis
Macro malware:Mitigation threats
Prevalent
By normalizing that data by looking at the number of unique machines that were infected, we see Canada drop to the fifth place. While the US accounts for a large majority, Mexico, the UK, and France fit into the top five:
Page 6 of 15
Malware Protection Center
Macro malware:Summary
Macro malware:Statistics
Macro malware:Characteristics
Macro malware: Analysis
Macro malware:Mitigation threats
Prevalent
Macro malware: Characteristics
Modes of attack – Microsoft Office MacrosMacro-based malware is typified by the use of macros, specifically macros written in VBA that are embedded in Microsoft Office program files.
The following is an example of the macro script found in a Bartallex variant.
Typically the macro is password-protected, so the script can’t be viewed by the user.
Page 7 of 15
Malware Protection Center
Macro malware:Summary
Macro malware:Statistics
Macro malware:Characteristics
Macro malware: Analysis
Macro malware:Mitigation threats
Prevalent
Common file names and email subjectsMacro-based malware relies on social engineering in the form of attractive email attachments alongside a provocative email subject header.
Common email subjects for the some of the top macro-based malware families:
Email subject SHA1 FamilyFYI: Aborted transaction (H493525)
1016f35a05a5858fbd630497fb348c67f5be7115 TrojanDownloader:W97M/Adnel
Important Notification 2KMIS
C5E4DF0FEF0F959C143EFDAA625609F664B8278C TrojanDownloader:O97M/Bartallex
Subject : invoice for Cheryl 5A365DDB394E27BFCF193B750284EF866E11054F TrojanDownloader:O97M/Bartallexare you serious? 3b094fa64c6007cf1ed128c008f9d448548235b9 TrojanDownloader:O97M/BartallexFw: Code 71NOO2 0b85a486a067c3d1a90fc8272634ed27c93c1710 TrojanDownloader:O97M/Donoff
Common attachment file names and file types for the Bartallex family are in the following table. Note that “statement.doc” takes the major share of all names.
File name Share of all Bartallex detections
statement.doc 14.91%Retiro-Compra.doc 0.98%invoice_0604.doc 0.85%documenti.doc 0.59%court_subpoena.doc 0.56%final_invoice.doc 0.42%confirmation_3346462.doc 0.41%Signature Invoice.doc 0.23%ExtractosDavivienda.doc 0.18%logmein_pro_receipt.doc 0.17%confimation_75991792.doc 0.16%check.doc 0.15%order_list.doc 0.15%Inv_12983_from_simply_carpets_of_keynsham_ltd_3464.doc 0.14%
Page 8 of 15
Malware Protection Center
Macro malware:Summary
Macro malware:Statistics
Macro malware:Characteristics
Macro malware: Analysis
Macro malware:Mitigation threats
Prevalent
Vectors of infectionsMacro-based malware is a gateway malware. It allows further infection on a user’s computer.
Generally, the macro contacts a command and control server or remote host, from which further instructions are received. These instructions usually include the download of more malware.
We’ve seen variants from the following families most often downloaded by, or as a result of, a Bartallex infection:
• TrojanDownloader:Win32/Chanitor• TrojanDownloader:Win32/Drixed• TrojanDownloader:Win32/Upatre• PWS:Win32/Fareit
The infection chain for most macro-based malware is similar – a spam email carries an attachment that contains a file with a macro that downloads other malware.
Page 9 of 15
Malware Protection Center
Macro malware:Summary
Macro malware:Statistics
Macro malware:Characteristics
Macro malware: Analysis
Macro malware:Mitigation threats
Prevalent
Macro malware: Analysis
Bartallex: ExecutionBartallex is one of the top four most-common macro-based malware families and is typical of how this category of mal-ware works.
When a user opens the attachment (such as a Microsoft Word .doc file), they are asked to enable content or external data. If the user does so (by clicking an error message at the top of the document), the malicious macro runs.
Variants of the Bartallex family of macro-based malware download a file through XML HTTP (the file is encrypted using Base64). The following screenshot shows an example of the URLs and decoded Base64 data the family might use:
From this data, the macro code creates three script files (a batch file, Visual Basic script file, and a PowerShell script file) in the %TEMP% directory with a randomly generated name. Older versions of Bartallex used a file name that started with adobeacd-update, but newer versions (as at July 2015) use five random numbers, as in the following examples:
• 18124.bat• 18124.vbs• 18124.ps1
Page 10 of 15
Malware Protection Center
Macro malware:Summary
Macro malware:Statistics
Macro malware:Characteristics
Macro malware: Analysis
Macro malware:Mitigation threats
Prevalent
Each file runs in succession, starting with the batch file:
The batch file executes the Visual Basic script file:
The Visual Basic script then executes the PowerShell script:
Page 11 of 15
Malware Protection Center
Macro malware:Summary
Macro malware:Statistics
Macro malware:Characteristics
Macro malware: Analysis
Macro malware:Mitigation threats
Prevalent
The PowerShell script downloads and runs other malware, and clean up or delete the previously used components.
EvolutionThe existence of macro-based malware is one of the main reasons why a consent requirement is included in Microsoft Office.
By encouraging users to be more careful when enabling macros, the rate of infection dropped. As a result, malware au-thors turned to other, more successful avenues of malware attack.
However, over the past two years, we’ve seen a resurgence in the detection and distribution of macro-based malware. It’s concerning, however, that we see an associated increase in the successful infection of macro-based malware. See the Mac-ro malware: Summary tab for an overview and exploration of what may have caused this behavior.
Page 12 of 15
Malware Protection Center
Macro malware:Summary
Macro malware:Statistics
Macro malware:Characteristics
Macro malware: Analysis
Macro malware:Mitigation threats
Prevalent
Macro malware: Mitigation
Macro-based malware is delivered through spam emails, which can sometimes slip through email filters and cause signifi-cant infection across a network.
Disabling the email preview pane in Microsoft Office and educating employees on the dangers of using live-preview in online email services can help prevent macro-based malware infection.
Network administrators can use the Office Customization Tool (OCT) to deploy changes to settings after Office has been installed, including disabling the preview pane and preventing macros from running:
• Office 2013 - OCT reference• Office 2010 - OCT reference • Office 2007 - OCT reference
Group Policy can also be enforced in Office programs to disable macros and other add-ins:
• Group Policy administrative template files for Office 2013• Use Group Policy to enforce Office 2010 settings• Enforce settings by using Group Policy in the 2007 Office system
The Trust Center in Microsoft Office programs can be disabled by default to control individual machines or installations. See the Office support page Enable or disable macros in Office files for details.
Office 365 offers further protection from spam emails, through the use of Exchange Online Protection (EOP).
You can get insights on how Office 365 uses machine learning to help you block spams in the video First look at Advanced Threat Protection: new tools to stop unknown malware & phishing attacks.
You can also follow the appropriate Exchange Online Protection instructions to suite your business needs.
And of course, don’t forget to submit those spam and non-spam messages to Microsoft for analysis.
That way, the Microsoft Malware Protection Center can help you address and prevent future infections.
Page 13 of 15
Malware Protection Center
Macro malware:Summary
Macro malware:Statistics
Macro malware:Characteristics
Macro malware: Analysis
Macro malware:Mitigation threats
Prevalent
Top detections for the past 30 daysThe tables in this section show top detections for all malware categories for the past 30 days (not just malware related to macro-based malware).“Distribution” is the percentage share of each detection amongst the top 10 detections in that cate-gory.
Enterprise detections Threat name DistributionBrowserModifier:Win32/CouponRuc 44% BrowserModifier:Win32/KipodtoolsCby 11% Win32/Gamarue 10% SoftwareBundler:Win32/InstalleRex 8% Win32/Jenxcus 7% Trojan:Win32/Skeeyah.A!plock 7% JS/Axpergle 5% Trojan:Win32/Peals 5% Win32/Conficker 2% TrojanDownloader:W97M/Donoff 1%
Top detections (all types) Threat name DistributionBrowserModifier:Win32/CouponRuc 31% HackTool:Win32/Keygen 15% BrowserModifier:Win32/AlterbookSP 14% HackTool:Win32/AutoKMS 8% BrowserModifier:Win32/KipodToolsCby 8% Adware:Win32/EoRezo 6% BrowserModifier:Win32/EonarchSP 6% SoftwareBundler:Win32/InstalleRex 5% Worm:VBS/Jenxcus!lnk 4% VirTool:Win32/Obfuscator.XZ 3%
Families Threat name DistributionBrowserModifier:Win32/CouponRuc 36% HackTool:Win32/Keygen 18% HackTool:Win32/AutoKMS 9% BrowserModifier:Win32/KipodtoolsCby 9% Win32/Gamarue 8% Adware:Win32/EoRezo 7% Win32/Obfuscator 7% SoftwareBundler:Win32/InstalleRex 6% Win32/Jenxcus 6% Trojan:Win32/Skeeyah.A!plock 6%
Top rogue detections Threat name DistributionRogue:JS/FakeCall.B 56%
Rogue:HTML/Phish.A 8% Rogue:Win32/Winwebsec 8% Rogue:Win32/FakeRean 7% Rogue:VBS/Trapwot 7% Rogue:Win32/FakePAV 5% Rogue:VBS/FakePAV 3% Rogue:Win32/Trapwot 3% Rogue:Win32/FakeVimes 2% Rogue:Win32/FakeCog 2%
Page 14 of 15
Malware Protection Center
Macro malware:Summary
Macro malware:Statistics
Macro malware:Characteristics
Macro malware: Analysis
Macro malware:Mitigation threats
Prevalent
Top ransomware detections Threat name DistributionRansom:HTML/Crowti.A 36% Ransom:Win32/Crowti.A 19% Ransom:Win32/Crowti 17% Ransom:JS/Krypterade.A 8% Ransom:Win32/Troldesh.A 5% Ransom:Win32/Critroni.B 4% Ransom:Win32/Critroni 4% Ransom:HTML/Tescrypt.A 3% Ransom:Win32/Nymaim.F 2% Ransom:Win32/Reveton.V 2%
Top unwanted software detections Threat name DistributionBrowserModifier:Win32/CouponRuc 40% BrowserModifier:Win32/AlterbookSP 18% BrowserModifier:Win32/KipodToolsCby 10% Adware:Win32/EoRezo 8% BrowserModifier:Win32/EonarchSP 8% SoftwareBundler:Win32/InstalleRex 7% Adware:Win32/ZoomyLib 4% BrowserModifier:Win32/MeninchSP 2% BrowserModifier:Win32/TogiraSP 1% BrowserModifier:Win32/DefaultTab 1%
Top expoit detections Threat name DistributionExploit:HTML/Axpergle.O 29% Exploit:Win32/CplLnk.A 15% Exploit:JS/Neclu.AH 8% Exploit:HTML/Axpergle.AB 7% Exploit:HTML/Neclu.O 6% Exploit:VBS/CVE-2014-6332 6% Exploit:JS/Meadgive.S 6% Exploit:Win32/Sdbby 5% Exploit:HTML/IframeRef.gen 5% Exploit:Win32/ShellCode.A 5%
Top password stealer detections Threat name DistributionPWS:Win32/Fareit 21% PWS:Win32/Lmir.AAA 16% PWS:Win32/Zbot 13% PWS:Win32/Prast!rts 11% PWS:Win32/VB.CU 10% PWS:Win32/Zbot!rfn 8% PWS:Win32/QQpass.CI 6% PWS:Win32/Dyzap 6% PWS:Win32/Dyzap.Q 5% PWS:Win32/Mujormel.D 4%
Page 15 of 15
Malware Protection Center
Macro malware:Summary
Macro malware:Statistics
Macro malware:Characteristics
Macro malware: Analysis
Macro malware:Mitigation threats
Prevalent
Top spyware detections Threat name DistributionTrojanSpy:Win32/Banker 38% TrojanSpy:JS/Phish.D 11% TrojanSpy:Win32/Bancos.AMM 10% TrojanSpy:MSIL/Hakey.A 7% TrojanSpy:Win32/Banker.AOE 7% TrojanSpy:Win32/Ursnif 6% TrojanSpy:Win32/Bancos 6% TrojanSpy:MSIL/Omaneat.A 5% TrojanSpy:MSIL/Golroted.B 5% TrojanSpy:Win32/Mafod!rts 4%