Macro Malware Dridex, Locky Using Forms to Hide Code

Share this…

The resurgence and continued prevalence of macro malware could be linked to several factors, one of which is their ability to bypass traditional antimalware solutions and sandboxing technologies. Another factor is the continuous enhancements in their routines: just recently, we observe that the macro malware related to DRIDEX and the latest crypto-ransomware variant,Locky ransomware, used Form object in macros to obfuscate the malicious code. With this improvement, it could further aid cybercriminals or attackers to hide any malicious activity they perform in their target network or system.

Prior to using forms, which are like text boxes for any application UI, attackers use scripts that are laid in the macro sheet in order to deliver and execute the malware. Similar to these previous macro malware, this also requires users to manually enable the macros in order to trigger the execution of the payload. However, this new tactic requires the shellcode to be accessed according to how it’s stored in the form. While the implementation of this is considered more difficult than the typical technique, it doesn’t necessarily affect the installation routine.


Figure 1. Screenshot of the stored shellcode

Possible scenarios

Imagine one of the employees in organization X receives a spammed email with a Word document file attachment. The said attachment prompts the employee to enable the macros and since he typically encounters forms in Word file, he didn’t think anything suspicious about it thus he opens the said file. Unknown to him, a malicious file is already running in the background that eventually leads to system infection, and subsequently resulted to data theft or rendering of important files unusable.


Figure 2. Screenshot of spammed message laden with ransomware

The dangers of such new tactic are reminiscent of POWELIKS that kept its malicious code hidden in the Windows registry. At the time of its emergence, no other threat used and/or no one expected that such feature can be abuse to obfuscate malicious code.

The abuse of macros can be traced back to as early as 2000’s. At that time, leveraging this feature was a popular tactic but all that changed when Microsoft decided to disable these macros by default as a security measure. For the longest time, macro malware did not make any headlines until in 2014, and has since became an arsenal for cybercrime and targeted attack campaigns. Recent threats like DRIDEX and ROVNIX used malicious macros as infection vectors.BARTALEX, which mostly affected enterprises, highlighted the security risks that any threat sporting such tactic could pose to any large organization or entity.

Looking through the malicious payload

Locky ransomware, which is reported to be responsible for compromising the network andencrypting the records of Hollywood Presbyterian Medical Center last February 2016, is the first instance of ransomware that capitalized on malicious macros to infiltrate systems. Typically, ransomware is distributed via compromised websites or spam emails. However, this variant deviated and replicated this behavior (use of macros) commonly seen in DRIDEX.

Based on our Smart Protection Network data, the top countries by Locky ransomware are Germany, Japan, and the United States.


Figure 3. Top countries affected by Locky ransomware for the past 3 months

DRIDEX, a prevalent online banking malware has its own macro downloader. When we’re conducting our analysis, we found out that most of our DRIDEX detections pertain to its macro downloader and not the actual TSPY_DRIDEX. This could suggest that this threat is still rampant as ever despite the takedown of some of its command-and-control (C&C) servers last year.


Trend Micro endpoint solutions such as Trend Micro™ Security, OfficeScan, and Worry-Free Business Security include behavior monitoring to detect the malicious files related to the abovementioned attacks. However, awareness of such threats and their behavior is one of the initial steps in order to combat their risks. It’s also important to not enable macros from email attachments as this can add another layer of protection to prevent the download of malicious files on the system. For enterprises or organizations, it may be best to block email messages with attachments from suspicious sources.