During the past week, Symantec has noted a significant spike in detections for W97M.Downloader, which is one of our standard detections for malicious Microsoft Word macros. This appears to be largely due to a number of recent ransomware campaigns that have resorted to using Word macros as a means of infection.
Figure. Detections of malicious Word macros (W97M.Downloader)
Macros are a long established attack vector but their popularity dwindled in recent years in the light of growing awareness and the fact that macros are now disabled by default by most major software developers. Although they enjoyed their heyday more than a decade ago, Word macro attacks picked up in recent months before a major surge last week.
One such ransomware campaign was discovered last week and targeted victims in France with emails that purport to come from the French Ministry for Justice. The emails informed the victim that a court judgment had been made against them, authorizing the seizure of property in lieu of money they owed.
The fake judgment comes in an attached Microsoft Word document. If the document is opened, it downloads and displays an image of a letter from the French Ministry of Justice. However the document also contains a macro which, if allowed to run, will install several pieces of malware on the victim’s computer, including the Cryptodefense variant of ransomware (Trojan.Cryptodefense).
This is just one of a number of ransomware campaigns seen by Symantec and a number of other vendors in recent weeks which used malicious Word macros. Since macros are disabled by default, attackers do have to find a way of making the victim enable them, but this can sometimes be achieved through social engineering, such using a Word document that displays garbled text and a message that macros may need to be enabled to display the text correctly.
Given hurdles such as these, why have macro attacks made a comeback? One of the reasons they faded in popularity was a growth in awareness about how they can be put to malicious use. However awareness can fade over time and there is probably now a significant proportion of internet users who are unaware of this danger.
Symantec and Norton products detect the malware mentioned in this blog as:
Analysis of samples is ongoing and protection will be updated if necessary.