Detecting Macro Enabled Office File In an Attachment

0
483

Detecting Macro Enabled Office File

Nowadays, the attackers pushes massive spam campaigns in order to spread their malwares. They use macro enabled spear-phishing office documents as an e-mail attachments. Generally, they are using the files with *.docm and *.xlsm extentions those are designed to spread malwares such as Cryptolocker variants and Odinaff banking trojan. Both of these malwares are very popular and Odinaff is also reported in the wild that SWIFT hack incedents executed by odinaff.

To decrease the risk on our network perimeter from these malwares, It is very important to log and observe its traffic. By default,  Intel Security product McAfee NSM doesn’t have a signature for Macro Enabled Office files.

In order to write a custom IPS rules about spear-phishing e-mails that contains a malicious office macro, it is needed to capture and analyze the real traffic.

Picture1 – Analyzing Mail Traffic with DOCM Attachment
Picture 1 – Analyzing Mail Traffic with DOCM Attachment
Picture2 – Analyzing Mail Traffic
Picture 2 – Analyzing Mail Traffic with XLSM Attachment

As seen above, the attachment is described in smtp body and its application type is also stored there. It looks enough to check application type in order to detect the malware.

The steps that is required to write custom rules as follows:

Custom attack editor can be found at Policy=>Intrusion Prevention => Advanved => Custom Attacks.

Picture 3 – Creating an Exploit Attack Definition
Picture 4 – Specifying Details
Picture 4 – Specifying Details
  • Firstly, create a condition and then you are able to add acomparison.
Picture 5 – Creating Conditions
Picture 5 – Creating Conditions
  • Select “String Pattern Match” form comparison selection window.
Picture 6 - Comparison Selection
Picture 6 – Comparison Selection
  • Select the protocol as SMTP.
Picture 7 - Selecting Protocol
Picture 7 – Selecting Protocol
  • Select the “Message Body” as protocol field, “Attachment Type” is ANY and “Req Encoding Type” as ANY.
  • Then It is needed to specify reqular expression to match.
    • For *.docm file use “ms-word.document.macroenabled”
    • For *.xlsm file use “ms-excel.document.macroenabled”
Picture 8 - Configuring Comparison
Picture 8 – Configuring Comparison

Finally, save and deploy the signature sets.

Picture9 – Save Custom Attacks

If your criteria hit by an email which contains Microsoft Office Macro, there will be alerts covering this misuse as below.

Picture10 –
Picture10 – Real Time Threat Analyzer

In default, custom signatures are going to be disabled. If it is needed, you should enable blocking on the signatures after tests.

LEAVE A REPLY