Aniruddha Dolas is a security researcher at Quick Heal Security Labs. He has worked on various security vulnerabilities reported in MS Office and Acrobat PDF Reader, and network-based vulnerabilities. His interest is in code deobfuscation, reverse engineering and vulnerability research. He contributes his research through writing blogs and white paper.
Depth of effective macro campaign
Spreading malware through MS Office macros is very simple, as it does not depend on MS Office version. Some of the major threats like Emotet, Trickbot, Ursnif, Hancitor, etc. have been using VBA macros, some of the futures of OLE has been used to spread malware like DDE. Spear-phishing, APT attacks, Muddy water campaigns are the few which spread through the same. We would like to deliver how malware gets spread using MS Office macros and in-details about different techniques of obfuscation and how it bypasses the detections of different AVs, as well as showing some different examples of VBA macro malware and normal VBA macro code. In our findings, we show you how to detect such VBA macros. Also, how the MS Office macros get evolved and stay persists in the system using WMI, COM, and Registries and behaves like a file-less.