Macro Code in Word, Safe or Not?
Introduction
‘Microsoft Word’ is a powerful word-processing software that offers many features, one of them called ‘Macro.’
Macro can automate repetitive tasks and streamline user’s work by recording actions and then playing them back whenever needed. Users can create small programs or scripts within Word to perform specific tasks or actions.
This article will demonstrate the potential threats of using the macro feature and explore the dangers of using macros and the risks associated with their use.
Microsoft Word Software
Microsoft Word is one of the components of the Microsoft Office Suite.
The software’s first version inception was in 1983. Word software is known for document creation and word processing, and it has evolved into an indispensable tool for businesses.
As a word processor, Microsoft Word empowers users to craft many professional documents, including letters, reports, etc.
Its user-friendly interface, extensive formatting options, and robust feature set have made it an essential tool for organizations worldwide.
Macro
Microsoft Word provides a ‘Macro’ tool that records actions that can be automatically played back to perform a task. Users can create a macro instead of repeating the same steps manually. A macro can be simple, like formatting text, or complex, involving multiple steps and conditions. With a macro, users can save time and effort by automating repetitive tasks.
Why Should Organizations Use Macro?
Using macro can offer several benefits, including:
- Automation of repetitive tasks, saving time and effort.
- Ensuring consistent task performance and reducing the chance of errors.
- Speeding up document creation and editing and helping users to create professional documentation.
- Users can create custom macros tailored to their specific needs.
- Handling complex tasks that would otherwise take considerable time to perform manually.
The Dangers of the Usage of Macro
A macro in Word can execute code, making it a potential tool for malicious activities. Therefore, Word has implemented stringent security measures to control its execution. By default, macros are disabled, and it is imperative that we either manually enable them or trust documents only from reliable sources before allowing their execution.
How Does Malicious Macro-Word Work
Opening a document is all it takes to execute a Macro-based malware.
These malware initially embed themselves in one or a few documents.
Although not all antivirus software can detect these malware, some reliable products can detect them effectively.
Malicious macro-word can be potentially malicious because attackers can exploit the macro’s functionality to deliver and execute malicious code on a victim’s system.
There are a few examples of how macro-word can be an advantage to attackers:
- An attacker can begin his attack on a victim with social engineering, like the macro-word technique. An attacker can send to his specific victim a Word document that looks legitimate through email, and when the victim clicks the document and enables the macro code, the macro code will be executed behind the scenes.
- The malicious macro code is injected within a Word document. A victim might think that the document is harmless and legitimate. For example, it can be titled ‘resume’ or ‘article,’ etc.
- While the malicious code was injected into the Word document when the victim clicks on the document and runs the malicious code, the code can perform various malicious actions, including Downloading malware, Keylogging, Backdoor, Botnet, etc.
Proof-of-Concept
In this PoC demonstration, an attacker will inject the macro into a legitimate Word document using the ‘Unicorn’ tool.
‘Magic Unicorn’ is a simple tool for using a PowerShell downgrade attack and injecting shellcode straight into memory.
An attacker needs to clone the GitHub repository to the Kali Linux machine and execute the following command in the terminal:
Then, the tool created the macro code the attacker needed to perform the attack, which can be found in the powershell_attack.txt file, and the tool created the Metasploit listener’s configuration file to set up the settings faster.
Simply, an attacker needs to copy the macro code that exists in the ‘powershell_attack.txt,’,’ and on the Windows machine side, the attacker should create a new Word document with the ‘.doc’ extension.
To paste the content of the macro payload, an attacker needs to click on the file, go to the label of Developer > Visual Basic, click on the ‘ThisDocument,’ and paste the content.
Then, the attacker needs to open the Metasploit listener and wait for connections.
Metasploit would be opened and set to every setting that the attacker needs to establish a connection to his Kali Linux machine.
After the listener is ready, the attacker sends his malicious Word document to his victim, making him click and enable the macro feature. When the victim clicks on the Word document, the macro code is executed behind the scenes, and the attacker gets a reverse shell.
Mitigation
To protect organizations against social engineering attacks through Macro-based malware, it is crucial to implement steps for document security:
- Do not open every email attachment, especially if the document wants you to enable the macro.
- The macro is disabled in Microsoft Word by default. Enable macro only if you trust the source that sent you the document.
- Use Anti-virus/XDR products in your organization to detect and block malicious documents.
- It is always a good idea to keep your operating system and software up to date to benefit from the latest security updates.
- Educate your employees about the dangers of opening unknown or suspicious documents and enabling macro.
Summary
Microsoft Word macro can automate tasks and improve productivity but can be used maliciously.
However, since macros can execute code, they can also be used maliciously.
For this reason, Word comes with security settings that control the execution of macros.
By default, macro is disabled, and users must manually enable or trust documents from trustworthy sources.