#1 Trusted Cybersecurity News Platform Followed by 3.45+ million
The Hacker News Logo
Subscribe to Newsletter

The Hacker News - Most Trusted Cyber Security and Computer Security Analysis: VBA Macros

Hackers Hide Malware in Stunning Images Taken by James Webb Space Telescope

Hackers Hide Malware in Stunning Images Taken by James Webb Space Telescope

Aug 31, 2022
A persistent Golang-based malware campaign dubbed GO#WEBBFUSCATOR has leveraged the deep field image taken from NASA's James Webb Space Telescope (JWST) as a lure to deploy malicious payloads on infected systems. The development, revealed by Securonix , points to the growing adoption of Go among threat actors, given the programming language's cross-platform support, effectively allowing the operators to leverage a common codebase to target different operating systems. Go binaries also have the added benefit of rendering reverse engineering a lot more challenging as opposed to malware written in other languages like C++ or C#, not to mention prolong analysis and detection attempts. Phishing emails containing a Microsoft Office attachment act as the entry point for the attack chain that, when opened, retrieves an obfuscated VBA macro, which, in turn, is auto-executed should the recipient enable macros. The execution of the macro results in the download of an image file &quo
Hackers Opting New Attack Methods After Microsoft Blocked Macros by Default

Hackers Opting New Attack Methods After Microsoft Blocked Macros by Default

Jul 28, 2022
With Microsoft taking steps to block Excel 4.0 (XLM or XL4) and Visual Basic for Applications (VBA) macros by default across Office apps, malicious actors are responding by refining their tactics, techniques, and procedures (TTPs). "The use of VBA and XL4 Macros decreased approximately 66% from October 2021 through June 2022," Proofpoint  said  in a report shared with The Hacker News, calling it "one of the largest email threat landscape shifts in recent history." In its place, adversaries are increasingly pivoting away from macro-enabled documents to other alternatives, including container files such as ISO and RAR as well as Windows Shortcut (LNK) files in campaigns to distribute malware. "Threat actors pivoting away from directly distributing macro-based attachments in email represents a significant shift in the threat landscape," Sherrod DeGrippo, vice president of threat research and detection at Proofpoint, said in a statement. "Threat act
LibreOffice Releases Software Update to Patch 3 New Vulnerabilities

LibreOffice Releases Software Update to Patch 3 New Vulnerabilities

Jul 28, 2022
The team behind LibreOffice has released security updates to fix three security flaws in the productivity software, one of which could be exploited to achieve arbitrary code execution on affected systems. Tracked as  CVE-2022-26305 , the issue has been described as a case of improper certificate validation when checking whether a macro is signed by a trusted author, leading to the execution of rogue code packaged within the macros. "An adversary could therefore create an arbitrary certificate with a serial number and an issuer string identical to a trusted certificate which LibreOffice would present as belonging to the trusted author, potentially leading to the user to execute arbitrary code contained in macros improperly trusted," LibreOffice said in an advisory. Also resolved is the use of a static initialization vector ( IV ) during encryption ( CVE-2022-26306 ) that could have weakened the security should a bad actor have access to the user's configuration inform
Microsoft Resumes Blocking Office VBA Macros by Default After 'Temporary Pause'

Microsoft Resumes Blocking Office VBA Macros by Default After 'Temporary Pause'

Jul 22, 2022
Microsoft has officially resumed blocking Visual Basic for Applications (VBA) macros by default across Office apps, weeks after temporarily announcing plans to roll back the change. "Based on our review of customer feedback, we've made updates to both our  end user  and our  IT admin  documentation to make clearer what options you have for different scenarios," the company  said  in an update on July 20. Earlier this February, Microsoft publicized its plans to disable macros by default in Office applications such as Access, Excel, PowerPoint, Visio, and Word as a way to prevent threat actors from abusing the feature to deliver malware. It's a known fact that a majority of the damaging cyberattacks today leverage email-based phishing lures to spread bogus documents containing malicious macros as a primary vector for initial access. "Macros can add a lot of functionality to Office, but they are often used by people with bad intentions to distribute malware to
Hackers Exploiting Follina Bug to Deploy Rozena Backdoor

Hackers Exploiting Follina Bug to Deploy Rozena Backdoor

Jul 09, 2022
A newly observed phishing campaign is leveraging the recently disclosed Follina security vulnerability to distribute a previously undocumented backdoor on Windows systems. "Rozena is a backdoor malware that is capable of injecting a remote shell connection back to the attacker's machine," Fortinet FortiGuard Labs researcher Cara Lin  said  in a report this week. Tracked as  CVE-2022-30190 , the now-patched Microsoft Windows Support Diagnostic Tool (MSDT) remote code execution vulnerability has come under heavy exploitation in recent weeks ever since it came to light in late May 2022. The starting point for the latest attack chain observed by Fortinet is a weaponized  Office document  that, when opened, connects to a  Discord CDN URL  to retrieve an HTML file (" index.htm ") that, in turn, invokes the diagnostic utility using a PowerShell command to download next-stage payloads from the same CDN attachment space. This includes the Rozena implant ("Word
Microsoft Temporarily Rolls Back Plan to Block Office VBA Macros by Default

Microsoft Temporarily Rolls Back Plan to Block Office VBA Macros by Default

Jul 08, 2022
Five months after announcing plans to disable Visual Basic for Applications (VBA) macros by default in the Office productivity suite, Microsoft appears to have rolled back its plans. "Based on feedback received, a rollback has started," Microsoft employee Angela Robertson  said  in a July 6 comment. "An update about the rollback is in progress. I apologize for any inconvenience of the rollback starting before the update about the change was made available." When reached by The Hacker News, Redmond said its decision to reverse course was temporary and that it's working to incorporate further usability improvements. "Following user feedback, we have rolled back this change temporarily while we make some additional changes to enhance usability," a Microsoft spokesperson said. "This is a temporary change, and we are fully committed to making the default change for all users. Regardless of the default setting, customers can block internet macros th
Emotet Testing New Delivery Ideas After Microsoft Disables VBA Macros by Default

Emotet Testing New Delivery Ideas After Microsoft Disables VBA Macros by Default

Apr 26, 2022
The threat actor behind the prolific Emotet botnet is testing new attack methods on a small scale before co-opting them into their larger volume malspam campaigns, potentially in response to Microsoft's move to disable Visual Basic for Applications (VBA) macros by default across its products. Calling the new activity a "departure" from the group's typical behavior, Proofpoint alternatively  raised the possibility  that the latest set of phishing emails distributing the malware show that the operators are now "engaged in more selective and limited attacks in parallel to the typical massive scale email campaigns." Emotet, the handiwork of a cybercrime group tracked as  TA542  (aka Mummy Spider or  Gold Crestwood ), staged a  revival of sorts  late last year after a 10-month-long hiatus following a coordinated law enforcement operation to take down its attack infrastructure. Since then, Emotet  campaigns  have targeted thousands of customers with tens of
Microsoft Disables Internet Macros in Office Apps by Default to Block Malware Attacks

Microsoft Disables Internet Macros in Office Apps by Default to Block Malware Attacks

Feb 08, 2022
Microsoft on Monday said it's taking steps to disable Visual Basic for Applications (VBA) macros by default across its products, including Word, Excel, PowerPoint, Access, and Visio, for documents downloaded from the web in an attempt to eliminate an entire class of attack vector. "Bad actors send macros in Office files to end users who unknowingly enable them, malicious payloads are delivered, and the impact can be severe including malware, compromised identity, data loss, and remote access," Kellie Eickmeyer  said  in a post announcing the move. While the company does warn users about permitting macros in Office files, unsuspecting victims — e.g., recipients of phishing emails — can still be lured into enabling the feature, effectively granting the attackers the ability to gain an initial foothold into the system. As part of the new change, when a user opens an attachment or downloads from the internet an untrusted Office file containing macros, the app displays a
More Resources

Sign up for free and start receiving your daily dose of cybersecurity news, insights and tips.