20 Years of Macro Malware: From Harmless Concept to Targeted Attacks

Macro malware is one of the security industry’s longest-enduring problems. Ever since the world's first sample was discovered in 1995, macro viruses have always found ways to resist security efforts to get rid of them, rising from the ashes again and again in some form or another. One big reason for its resilience, we believe, is due to the fact that they exploit widely-used and ubiquitous software, such as Microsoft Office applications. It's been 20 years since the first discovery, so we decided to look back through the years, to track where macro malware has been and where it’s going.

  • 1995-1999: The Early Years
1995 was when the very first macro malware, "Concept," was first discovered in the wild. Taking advantage of Microsoft Word’s macro function, it was found preinstalled on some CDs that Microsoft released for Microsoft Windows 95. Basically harmless, all it did was display a single dialogue box with the number “1” and the “OK” button. It was also during this year that the first Excel macro virus, XM_LAROUX, was discovered. Like Concept, it also lacked a malicious payload, and only displayed a message box with a cryptic message and an OK button.
It was during the turn of the century–1999–that Melissa, one of the most notorious macro malware, was discovered. Released by David L. Smith, it got into users’ systems as a malicious Word file that had a list of 80 pornographic websites. Once opened, it would mass-mail itself to fifty addresses in the user’s Address book. While not exactly malicious, it did put undue stress on the email servers of businesses during the time, infecting more than 20% of all computers worldwide and causing no less than US$80 million worth of damage.
  • 2000-2005: Temporary Dormancy

After Melissa, however, things became relatively quiet on the macro malware front. In fact, many security vendors proclaimed that macro malware was all but officially extinct, with only a handful of detections coming up every now and then. It was believed that since the technologies that enabled macro malware to exist had not changed much during the time, it was easier to defend against them.  

  • 2006: The Macro Rises for The First Time
2006 heralded the big return of macro malware, with April of that year peaking at nearly 19,000 detections, and then again in September with 22,000. Despite the appearance of new variants of macro malware during this year, we believed that that the correlation between the rise in detection volume and the months in which the detections themselves peaked were more to do with taxes than anything else. April and June are, after all, the months in which individuals and businesses respectively file taxes, while September is when companies usually set budgets.  These events translate to increased use of Office Suite components.

Macro malware activity would soon die down after this particular surge, however. Activity went dormant again, this time due to Microsoft itself stepping in to implement new security measures. It would be a handful of years until it would pop into the threat landscape once more, and in a huge way.
  • 2014: Macro Malware Maximized
It would be eight years later when macro malware would make its biggest resurgence thus far. In April 2014, strains of the infamous info-stealing malware ZeuS were found to be spreading through macro-enabled Microsoft Word files. November of the same year would also see DRIDEX, an info-stealer that targets online banking users in Europe, also used the same infection tactic.

Not a few days later, backdoor malware ROVNIX would follow suit, but coming with its own defensive measure: the macro-enabled document was password-protected against security vendor analysis.
  • 2015-Present: The Macro Renaissance
2015 would be the year that macro malware really started to make big waves, as they weren't just being used to spread banking malware, but also for enabling targeted attacks.

VAWTRAK, a banking malware that targeted major global banks such as Bank of America, J.P. Morgan, Citibank, and HSBC, opened up 2015 in a big way by infecting users through macro malware in February. BARTALEX then joined the macro-enabled ranks in March, using maliciously-coded Word documents (as well as Excel files) to get into a system and download info-stealing malware (such as UPATRE).

It was also during this time that Team Rocket Kitten, a group attacking certain Israeli and European organizations, was found to be using macro malware for their targeted attack campaigns. Specifically, they used an Excel file embedded with malicious macro code. If the macro code is enabled, it drops the GHOLE malware onto the affected system and starts running malicious routines.

While there’s no telling where macro malware will go from here—seeing as they've reached the point where attackers are already using them to pull off targeted attacks—what we can say for sure is that we expect to see them being used in different schemes for months to come. Team Rocket Kitten may be the first team to use macro malware, but they definitely won’t be the last.

Fortunately, macro malware can be defended against.  Trend Micro customers are automatically protected from such threats, as Trend Micro™ Custom Defense™ protects enterprises from macro-based attacks. But users can also beef up security by ensuring that all their Microsoft Office macro security features are enabled. Users should also take care not to enable macros on any document that they receive from e-mails or download links, especially when the document urges them to—it’s usually a red flag that says "this is macro malware".


Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.