Stopping Macro-based Malware Effectively
In a significant development, the detection of a malware known as Adnel by anti-malware engines grew from zero to 28 engines between January 23, 2015, and March 31, 2015. This rise in detection underscores the importance of proactive measures in countering such threats.
One such measure is document sanitization, particularly using advanced methods like Content Disarm and Reconstruction (CDR). This technique proactively disassembles incoming files, removing potentially dangerous components such as embedded macros, scripts, and exploit code before the files reach users. This approach eliminates threats without relying on detection or signatures.
Key to its effectiveness is proactive threat removal. Unlike detection tools that wait for malware signatures or alerts, CDR assumes every file could be malicious and cleans it upfront, thereby neutralizing macro-based malware embedded in documents.
Moreover, sanitization removes macros entirely, preventing accidental execution even if users try to open or enable them. This feature is crucial as macro malware often relies on tricking users into enabling macros.
CDR can sanitize common document formats (DOC, XLS, ZIP, installers) that might carry macros or malicious payloads, addressing threats in diverse file containers.
By delivering clean files without embedded threats, CDR reduces false positives and noise in security operations, allowing analysts to focus on actual threats rather than triage of malicious macros.
Older Office formats like binary DOC and XLS are more susceptible to carrying hidden macros that are harder to detect, emphasizing the importance of sanitization. Some attack vectors, such as HTA files with scripting capabilities, also require stringent file inspection and sanitization to prevent full system exploitation.
Email security products are increasingly integrating file sanitization techniques in their workflows, combining malware inspection, policy enforcement, and attachment cleaning to prevent threats before delivery to end users.
In summary, document sanitization via CDR and similar technologies is a robust, proactive defense that effectively neutralizes macro-based malware in email attachments, preventing infection without depending on detection or user actions. This approach is increasingly viewed as necessary given the sophistication and evasiveness of modern macro malware campaigns.
Employees should be aware of social engineering tactics that may induce them to enable macros in documents. Measures to block or remediate emails containing potential threats include blocking email attachments from unknown sources with dangerous file types, scanning attachments with multiple antivirus engines, and sanitizing email attachments to remove unknown threats.
Designing a good email security policy within an organization is important in light of the resurgence of macro-based malware. Training employees to properly identify and avoid opening malicious email attachments or enabling macros in documents from unknown sources is a key step in creating an effective email security policy.
Tony Berning, Sr. Manager at OPSWAT, is the source of this information. Researchers at OPSWAT prepared a demonstration of the effectiveness of document sanitisation. One example of macro-based malware is Adnel, a macro that downloads and runs files on your PC when you open an infected Microsoft Office file.
Sources:
[1] Berning, T. (2015). The Importance of Document Sanitization in Protecting Against Macro-Based Malware. OPSWAT. [2] Email Security Best Practices for Small and Medium-Sized Businesses. (2021). Trend Micro. [3] Macro Viruses: The Old Threat That Refuses to Die. (2019). Kaspersky. [4] Email Security Gateways: What You Need to Know. (2020). Gartner. [5] The Evolution of Macro Malware. (2018). Malwarebytes.
Cybersecurity measures, such as document sanitization using Content Disarm and Reconstruction (CDR), are essential in today's technology-driven world, especially in light of the resurgence of macro-based malware. CDR actively disassembles incoming files, removing malicious components before they reach users. This proactive approach eliminates threats without relying on detection or signatures, as demonstrated by the example of Adnel, a macro that downloads and runs files on a PC.
