[BreachExchange] The 90s Hacking Trick Making a Comeback

Audrey McNeil audrey at riskbasedsecurity.com
Tue Jun 7 19:38:08 EDT 2016


http://motherboard.vice.com/read/the-90s-hacking-trick-making-a-comeback-macros-malware

One hack targeted a political dissident in London; another attack led to a
massive power outage across Ukraine. On the face of it, nothing connected
these two incidents.

But they both relied on a certain hacking technique, one that fell out of
fashion at the turn of the century and has made something of a comeback:
Macros.

Macros are essentially small programs embedded with documents that can
automate tasks and speed up user efficiency. They might be used for quickly
creating a company's letterhead in Word, or inserting tables that have
already been formatted. But hackers can use macros to deliver malware to
targets’ computers.

On Sunday, research group Citizen Lab published findings on Stealth Falcon,
a hacking campaign suspected to originate from the United Arab Emirates
that has been targeting activists. Part of this involved sending a
malware-laden Word document to Rori Donaghy, a London-based journalist.

“In order to protect the content of the attachment we had to add macro
enabled security. Please enable macros in order to read the provided
information about our organization,” the email read. It was supposedly sent
by a human rights organization called “The Right to Fight,” but according
to Citizen Lab, no such organization exists.

Citizen Lab found that the document macro included within that email
attachment gathers information about the target system, and eventually
opens up the computer to further attack.

“This gives the operator control over the victim’s computer, and allows the
operator to install additional spyware or perform other activities,” Bill
Marczak and John Scott-Railton from Citizen Lab write.

In another case involving macros, hackers targeted multiple power
distribution companies throughout Ukraine and sent them a malicious Word
document. Once victims enabled macros, a piece of malware called
BlackEnergy3 infected their computers.

In short, macros are often used by attackers to get a more serious piece of
malware onto a target’s computer, perhaps then to steal documents,
passwords, or other information.

Macro-based attacks date way back to the 1990s, and steadily rose in
popularity until around 2000, but after then prevalence rates dropped
substantially.

“In the past five years, macro viruses (and more generally, macro malware)
could be considered practically extinct—thanks mostly to the security
improvements that were introduced over that period of time to their main
target, the Microsoft Office products,” Gabor Szappanos from cybersecurity
company Sophos wrote in a 2014 paper. Indeed, macros were eventually
disabled by default in Microsoft Office.

Clearly, though, macro-malware is back. And today an attacker using macros
has more in common with someone sending phishing emails: They trick the
victim into enabling macros through social engineering techniques.

There are ways to mitigate the threat. In March of this year, Microsoft
pushed a new feature into Office that would allow system administrators to
block the running of macros on their networked machines. And of course,
vigilance goes a long way when it comes to social engineering.

But, in the same way that phishing emails continue to be an established
form of infection, maybe macro-based attacks are here to stay for a while
longer. The 90s is making a comeback, after all.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160607/7d45c9d9/attachment.html>


More information about the BreachExchange mailing list