Attackers Increasingly Adopting VBA-based Attack Techniques

Cyber attackers are increasingly using VBA code to prepare malicious documents. Recently, threat actors have been observed using a VBA Purging technique, which involves the use of VBA source code only within Office documents that offers better detection evasion.

VBA purging on a rise

  • In this technique, malicious Office documents containing VBA code are saved within streams of Compound File Binary Format (CFBF) files, with VBA macros (MS-OVBA) saving VBA data in a hierarchy including various types of streams.
  • The VBA code is saved inside module streams, along with CompressedSourceCode (VBA source code compressed with a proprietary algorithm) and PerformanceCache (P-code – compiled VBA code).
  • Generally, Office applications access the former with the code being compiled with an app having their architecture and version. Or else, the compressed source code will be decompressed, compiled, and executed.
  • It has been observed that the detection rates for any VBA purged malicious document is around 67% less in comparison to the malicious document created using normal VBA code.

Recent attacks

Besides the new VBA Purging attacks, several attackers have been observed using VBA code in malicious Microsoft Office documents.
  • In early-December, a macro-based delivery chain was used by DeathStalker, which was eventually used to run PowerPepper and set up its persistence.
  • In another attack, a spy campaign spreading Bandook Trojan was found using a template document including a VBA code.

An open-source tool

FireEye, a cybersecurity company, has released OfficePurge tool that supports VBA purging of Excel (.xls), Publisher (.pub), and Word (.doc) documents. In addition, it released a YARA rule to look for modified documents.

Conclusion

Frequent use of VBA code for attacks and innovative use of VBA purging attacks shows that cybercriminals are actively investing time in this technique to improve their persistence and obfuscation capabilities. Therefore, experts suggest disabling macros if not necessary and blocking macros in Microsoft Office to run from the internet for better protection. Experts also recommend providing training to employees to spot malicious documents.

Cyware Publisher

Publisher

Cyware