Think that macro viruses written in VBA (Visual Basic for Applications) are just something that people using the Internet a couple of decades ago had to worry about? Think again. Word macro attacks never went away, they just went into decline. New evidence suggests they could be making something of a comeback though. Coupled with research showing how non-English speaking recipients are being targeted by phishers using this technique, it makes for worrying reading some 15 years after Melissa struck fear into the email using world.

Whenever I hear non-English and phishing uttered in the same breath, I tend to think the speaker is talking about the scammer rather than the attack message itself. The number of emails that appear in my spam and malware filtered folders which have patently obviously come from the keyboard of a non-English speaker far outweigh that have not. However, the language of phishing itself has pretty much always been English for one very good reason: it represents the largest attack surface for the least effort. Of course, there are always exceptions and targeted attacks (also known as spear phishing) are more likely to be crafted in whatever language is thought to be spoken by the recipient based upon the location of that target mark. One thing is for sure, most security researchers will agree that malicious URLs in email tend to be a lot more prolific in English language speaking recipient countries than elsewhere.

Which doesn't mean you are safe if, for example, you live or work in France or Germany. I mention these countries for two specific reasons. Firstly, security researchers are Proofpoint recently disclosed that the URLs in unsolicited email sent to recipients in France and Germany were less likely to be malicious than URLs in emails to recipients in the US or the UK. Secondly, the same security outfit has this last week revealed details of an admittedly low volume targeted phishing campaign that was aimed directly at organizations in the two countries. Interestingly, the latter statement does not dilute the relevancy of the former as although malicious URLs remain the launch mode of preference in the phishing community it isn't the only game in town. The campaign in question was even more old school and relied upon malicious attachments instead.

In all, a total of twelve different Microsoft Word document attachment variations were found to be used, and they were cycled with multiple senders and headings in order to create what is known as a longline phishing campaign. This has the intended, and often successful, effect of evading any reputation-based blocking that is being used. The Proofpoint analysis of the Word attachments revealed documents which were vehicles for a VBA virus in the form of a malicious macro that downloaded and then installed Andromeda malware. An additional level of obfuscation was applied, for both the macro code and the Andromeda payload itself, and this helped the attackers to gain a pretty good rate of antivirus evasion. How good? Well, at the time of the Proofpoint analysis less than ten per cent of antivirus engines were able to detect the attachments as malicious and the Andromeda payload itself was detected by a mere five per cent.

The fact that multiple samples from a single campaign using a variation of attachment name, lure, subject and sending address were successful in this case shows that a modern longline phishing strategy is viable. Especially when they can prove so effective against both reputation and signature-based filtering systems. With at least twelve different attachments in a relatively low-volume longline campaign the odds were high that they would be so far unknown and so allowed to pass even robust anti-spam gateways; high enough to make the attack potentially profitable and so worth launching. According to the Proofpoint researchers it's a perfect example of why organizations must complement their existing anti-spam gateway with advanced detection capabilities: something always gets through even the best traditional defenses. Of course, they would say that given that the company can provide just such capabilities.

However, I say that this campaign also highlights the role of language as yet another variable that attackers can leverage to evade organizations’ existing defenses. Anyone who thinks the days of Word Doc attacks are dead is wrong. Anyone who thinks just because they do not communicate in English they are safe from the phishermen, is wrong. Oh, and anyone who thinks VBA viruses are so 1990's and no longer a threat is most certainly wrong as well...

Edited 2 Years Ago by happygeek: typo

Comments
Interesting and thanks for sharing.

As Editorial Director and Managing Analyst with IT Security Thing I am putting more than two decades of consulting experience into providing opinionated insight regarding the security threat landscape for IT security professionals. As an Editorial Fellow with Dennis Publishing, I bring more than two decades of writing experience across the technology industry into publications such as Alphr, IT Pro and (in good old fashioned print) PC Pro. I also write for SC Magazine UK and Infosecurity, as well as The Times and Sunday Times newspapers. Along the way I have been honoured with a Technology Journalist of the Year award, and three Information Security Journalist of the Year awards. Most humbling, though, was the Enigma Award for 'lifetime contribution to IT security journalism' bestowed on me in 2011.

Well, Windows and its applications are still the 800lb gorilla target of malware writers (viewing all the credit card hacks recently at Target, Home Depot, et al that infected Windows cashier terminals), though Mac OSX is getting more attention these days. I personally believe that Linux is still the most secure OS, especially if you keep it properly updated and if you don't allow root logins and require a password for sudo operations by trusted users (needed to install new software, run system management tools, etc). Part of the problem with Windows and Mac is that the default user is usually set up on installation to have system management permissions, which is a MAJOR system vulnerability. If the default user doesn't have admin capabilities by default, most of these hacks would not work, at least without some additional assistance by the user.

Comments
Thanks alot for the topic
Great points.
Good tip!
The article starter has earned a lot of community kudos, and such articles offer a bounty for quality replies.