To prepare malicious documents, threat actors are increasingly using VBA code. As observed by researchers, threat actors recently have adopted the trend of using a VBA Purging technique, which involves the use of VBA source code only within Office documents that offers better detection evasion.
Rise of the VBA Purging Trend
- With the use of this technique, malicious Office documents containing VBA code are saved within streams of Compound File Binary Format (CFBF) files, with VBA macros (MS-OVBA) saving VBA data in a hierarchy including various types of streams.
- Along with CompressedSourceCode (VBA source code compressed with a proprietary algorithm) and PerformanceCache (P-code – compiled VBA code), the VBA code is saved inside module streams.
- Generally, Generally, Office applications access the VBA code is saved inside module streams with the code being compiled with an app having their architecture and version. Otherwise, the compressed source code will be decompressed, compiled, and executed.
- It has also been observed the detection rates for any VBA purged malicious document is less in comparison to the malicious document created using normal VBA code. Currently, its detection rate stands close to 67%.
Attacks in recent time
Several attackers have been observed using VBA code in malicious Microsoft Office documents, besides the new purging attack.
- A macro-based delivery chain was used by DeathStalker in early December, which was eventually used to run PowerPepper and set up its persistence.
- A spy campaign spreading Bandook Trojan was found using a template document including a VBA code in another attack.
Cybercriminals are actively investing time in newer techniques to improve their persistence and obfuscation capabilities, which is evident with the frequent use of VBA code for attacks and innovative use of VBA purging attacks. Consequently, our internal experts suggest disabling macros if not necessary and blocking macros in Microsoft Office to run from the internet for better protection. They further recommend providing training to employees to spot malicious documents.
To read more, please check eScan Blog
