Halting Macro-Malware Dead in Its Tracks: A Comprehensive Guide
In the digital age, email attacks continue to pose a significant threat to organisations worldwide. One such threat is macro-based malware, a type of malicious software that can be hidden behind layers of data, making it difficult for anti-malware engines to detect.
Recent research by OPSWAT, a leading cybersecurity company, has demonstrated the effectiveness of document sanitisation in neutralising such threats. The researchers prepared a demonstration using the Adnel malware sample, a notorious macro-based threat.
Macro-based threats are often spread via email campaigns, where the malicious file is included as an attachment to the email message. Attackers may try to entice users to enable macros by creating a document that the user would want to modify. However, by default, Office documents opened as email attachments have macros and editing disabled, requiring the user to actively choose to enable them.
The Adnel malware, for instance, is a macro that downloads and runs files on your PC when you open an infected Microsoft Office file. This could potentially lead to a range of harmful activities, from data theft to system compromise.
On January 23, 2015, when none of the anti-malware engines were detecting Adnel as a threat, document sanitisation could have been used to neutralise it. The company that carried out the document sanitization to neutralise the Adnel malware attack was Cleafy.
Several different methods were used to convert the Adnel malware sample to other safe file types during the document sanitisation process. The resulting files were then scanned with Metascan Online to confirm that the malicious macro had been removed and the threat neutralised.
Trend Micro's Trend Labs have reported an increase in macro-based malware against the UPATRE malware in spam emails, underscoring the ongoing threat posed by these attacks. The Dridex botnet and Adnel and Tarbir malware have also resurfaced, embedded as macros within Microsoft Office Documents.
Given these threats, a good email security policy within an organisation should be designed, including employee training to avoid opening malicious email attachments or enabling macros in documents from unknown sources. Measures to prevent macro-based threats include blocking email attachments from unknown sources with dangerous file types, scanning attachments with multiple antivirus engines, and sanitising email attachments to remove unknown threats.
Employees should also be aware of social engineering tactics that may induce them to enable macros. An example of macro-based malware is Adnel, a macro that downloads and runs files on your PC when you open an infected Microsoft Office file.
In conclusion, document sanitisation should be considered a crucial step for preventing macro-based malware from entering an organisation through email attacks. It can prevent both known and unknown macro-based threats from entering an organisation, providing an essential layer of defence in the ongoing battle against cyber threats. The effectiveness of document sanitisation was sourced from Tony Berning, Sr. Manager at OPSWAT.
