Advanced VBA Macros Attack & Defence

Conference: BlackHat EU 2019

2019-12-04

Summary

VBA macros are still a prevalent method for delivering malware, and new obfuscation techniques make them difficult to detect. However, analysis and detection tools have also improved to address these challenges.

VBA macros have been used for delivering malware since 1995, with a resurgence in recent years due to changes in Microsoft Office user interface
New obfuscation techniques, such as VBA Stomping, make it difficult to detect malicious macros
Tools such as olevba and ViperMonkey have been developed to analyze and detect malicious macros
Advanced techniques, such as VBA Stomping and Excel and Macros, have been presented at conferences
Detection and prevention of malicious macros is challenging, but tools such as Macro Raptor have been developed to identify suspicious keywords
Anecdote: Examples of macro-based campaigns include Emotet, FD Code, Black Energy, and Olympic Destroyer

One example of a macro-based campaign is Emotet, a banking Trojan that has been active since 2014 and sends hundreds of thousands of phishing emails with macros every day. Another example is Olympic Destroyer, which used a macro as the initial intrusion vector for the attack on the Winter Olympics in 2018.

Abstract

In 2019, VBA macros are still heavily used to deliver malware, and new obfuscation techniques such as VBA Stomping implemented in EvilClippy allow attackers to deliver malicious payloads to end users without being detected. Luckily, analysis and detection tools are also progressing to address all the advanced attack techniques. This presentation will demonstrate some of the advanced attack techniques, and show how analysis and detection tools such as olevba have been recently improved to address the new challenges.

Materials:

Slides

Tags: