New Macro Malware Threat Targets Microsoft Office Users
Recently, a cybersecurity researcher revealed a significant security flaw affecting all versions of Microsoft Office that permits the creation and propagation of macro-based self-replicating malware. This vulnerability allows attackers to generate malicious macros that can reproduce themselves and infect other documents, a method not entirely new to cybercriminals. Microsoft has implemented security measures designed to limit this functionality, yet it seems these defenses may not be foolproof.
Lino Antonio Buono, an Italian security researcher affiliated with InTheCyber, disclosed a straightforward technique that could enable individuals to circumvent Microsoft’s security controls. This method could result in the generation of self-replicating malware concealed within seemingly harmless MS Word documents. Buono reported the issue to Microsoft in October, but the company classified it as a feature rather than a flaw, citing that it operates as intended. This is reminiscent of the DDE feature in MS Office, which has also been exploited by hackers in the past.
Alarmingly, the new “qkG Ransomware” has recently surfaced, utilizing the same self-replicating capabilities identified by Buono. Trend Micro documented this malware, describing it as potentially experimental or a proof of concept rather than a fully deployed threat. Samples of the qkG ransomware were discovered on VirusTotal, uploaded by a user in Vietnam. This strain operates by executing malicious macros when a victim closes the infected document.
The qkG ransomware includes a Bitcoin address in its ransom note, demanding a payment of $300. Although this address has yet to record any transactions, indicating the malware’s limited deployment so far, the clear potential for harm is evident. The ransomware employs an Auto Close VBA macro, ensuring it activates malicious code without explicit user action.
In a video shared with The Hacker News, Buono demonstrated how an MS Word document embedded with malicious VBA code can deliver a self-replicating, multi-stage malware payload. Microsoft, by default, has disabled external macros to minimize risks. Users have the option to enable “Trust access to the VBA project object model,” which facilitates unchecked macro executions—much to the chagrin of security experts.
Through registry edits, Buono discovered that users can enable this setting without their explicit knowledge, allowing macros to autonomously generate further malicious code across documents the victim handles. This exploitation invites additional security concerns, as a compromised user could unwittingly distribute the infection to others, particularly through files shared among trusted contacts.
While this type of attack technique has yet to demonstrate widespread exploitation, the potential for leveraging such vulnerabilities for malicious self-replicating malware poses serious risks. Traditional antivirus solutions often overlook this threat, given its classification as a legitimate capability of Microsoft Office.
To mitigate the risks associated with macro malware, security experts recommend that users remain vigilant about unsolicited documents, avoiding interaction with links or macros contained in unknown files. Given that this capability resides within a legitimate software feature, company leaders must be aware of the associated vulnerabilities and enforce stringent security practices in their organizations.
This situation emphasizes the necessity for proactive cybersecurity measures within organizations, particularly considering the evolving nature of threats. The risks associated with macro malware are clear, warranting immediate attention from businesses seeking to safeguard themselves against increasingly sophisticated cyber threats.
For a deeper understanding of the tactics employed in such attacks, one might refer to the MITRE ATT&CK framework. Relevant techniques could include initial access through malicious documents, persistence methods involving macro scripts, and privilege escalation through unauthorized registry edits, providing insight into the potential pathways adversaries might exploit.