Researchers at SophosLabs found an uptick in VBA samples in July.
Researchers at SophosLabs found an uptick in VBA samples in July.

Researchers at SophosLabs have detected a surge in Visual Basic malware, noting that macro-based malware accounted for 28 percent of all document malware in July, up from just six percent in June, according to a Naked Security blog post penned by Graham Chantry, a senior security researcher at SophosLabs.  

While 58 percent of document malware used known exploits, Chantry wrote, malware authors are increasingly choosing Visual Basic because it has some advantages. First, to avoid detection from nearly ubiquitous anti-virus software, malware families must “change form continuously.” An exploit's “rigid” file structure makes it difficult to invoke those changes without affecting functionality.

By contrast, Visual Basic code is easy to write and refactor and is flexible. Because similar functionality can be expressed in multiple ways, malware authors have a plethora of options for creating “distinct, workable versions” of the malware, Chantry explained.

Also, unlike exploits, VBA is not “tied to specific versions of Microsoft Office.” That tie-in requires that users are running a vulnerable version of Office as well as out-of-date or insufficient anti-virus software for the malware to do its dirty work. VBA has no such constraints.

Not that VBA doesn't have drawbacks. It can be stumped by Microsoft's “Macro Security Level” feature, Graham wrote, which in versions of Office 7 or later disables macros from untrusted sources by default and executes code only “if the user explicitly enables them.” Malware authors have gotten around this limitation through social engineering techniques such as claiming that a document's content is obfuscated for security reasons or that it requires different software to open—designed to “trick” users into running macros.

In a Wednesday email correspondence with SCMagazine.com, Chantry said he found “the surge in sophisticated Social Engineering methods” interesting.

“The ‘Sophos Encryption' samples covered in the paper, and others more recently, suggest malware authors might be getting less ‘bites' with the more basic SE tricks. Document based malware is commonly circulated in spam where the attached document is often inconsistent with the email content,” he said. “Masquerading as an AV vendor only serves to make the document appear more genuine and lures the user into a false sense of security that the document is probably not malicious," Chantry wrote.

Ease of coding and the success using those techniques may account for why researchers at SophosLabs have more recently seen a surge in VBA samples.

They detected a number of “very simplistic” VBA downloader templates that contain Visual Basic code, and comments that show authors where to insert malicious links and how to obfuscate code.  

As an example, the blog showed one template that “imports the Windows API URLDownloadToFile to download an executable into the user's temporary directory,” the blog said. “Once downloaded, the code uses the shell command to execute the dropped sample as a separate process.”

By substituting the DIRECT LINK HERE string with a URI to a malicious executable, malware authors can ensure the downloader will likely work straight out the box. That's a common code structure for VBA downloaders, accounting for about 34 percent of all macro downloaders that SophosLabs sampled in July.

“Arguably the most interesting thing to arise from the research in this paper is the discovery of apparent VBA templates,” Chantry said in email correspondence. “Up until now we could only speculate as to why authors moved towards VBA but these templates would go some way to explaining it.”  He explained that “getting malware installed on a user's machine is one of the most difficult parts of the infection process and, with some companies explicitly blocking executable attachments; a VBA template would provide the perfect solution.”  

But because the variants using these templates differ only marginally, heuristic detection has been made easier. “As to whether this trend is set to intensify or simply prove to be a purple patch for VBA malware, time will only tell,” said Chantry.

He also noted that malware authors are finding more creative ways of infecting systems. In the sample SophosLabs provided in its blog, “we saw Visual Basic code executing an encoded PowerShell script, to inject assembler code into memory,” Chantry explained. “More recent variants have even utilised the AutoIt scripting language and traditional Batchscript.” By adding new layers to the infection process malware authors are likely trying to “conceal their true intentions from AV detection (wrapping malicious assembler code within PowerShell, within Visual Basic, etc.),” he said. “Obfuscating the malicious payload may be somewhat effective against static signature based detection but the obfuscation process itself serves as an excellent trait for heuristic detection. The only question now is what languages will they choose next?”