Prashant Tilekar is a security researcher part of the HIPS (Host-based Intrusion Prevention System) team in Quick Heal Security Labs. He has worked on various security vulnerabilities reported in MS Office, Acrobat PDF Reader, network-based vulnerabilities and hunting for ongoing malware trends. he is focused on handling deep and wide malware analysis, as well as conducting research for noteworthy/emerging threat. He has a keen interest in writing blog posts on trends observed during his research. His areas of interest include malware research and new vulnerabilities.
Depth of effective macro campaign
Spreading malware through MS Office macros is very simple, as it does not depend on MS Office version. Some of the major threats like Emotet, Trickbot, Ursnif, Hancitor, etc. have been using VBA macros, some of the futures of OLE has been used to spread malware like DDE. Spear-phishing, APT attacks, Muddy water campaigns are the few which spread through the same. We would like to deliver how malware gets spread using MS Office macros and in-details about different techniques of obfuscation and how it bypasses the detections of different AVs, as well as showing some different examples of VBA macro malware and normal VBA macro code. In our findings, we show you how to detect such VBA macros. Also, how the MS Office macros get evolved and stay persists in the system using WMI, COM, and Registries and behaves like a file-less.