The 90s Hacking Trick Making a Comeback

Hackers are bringing back a cheap, dirty old trick: Macros.

One hack targeted a political dissident in London; another attack led to a massive power outage across Ukraine. On the face of it, nothing connected these two incidents.

But they both relied on a certain hacking technique, one that fell out of fashion at the turn of the century and has made something of a comeback: Macros.

Macros are essentially small programs embedded with documents that can automate tasks and speed up user efficiency. They might be used for quickly creating a company's letterhead in Word, or inserting tables that have already been formatted. But hackers can use macros to deliver malware to targets' computers.

On Sunday, research group Citizen Lab published findings on Stealth Falcon, a hacking campaign suspected to originate from the United Arab Emirates that has been targeting activists. Part of this involved sending a malware-laden Word document to Rori Donaghy, a London-based journalist.

"In order to protect the content of the attachment we had to add macro enabled security. Please enable macros in order to read the provided information about our organization," the email read. It was supposedly sent by a human rights organization called "The Right to Fight," but according to Citizen Lab, no such organization exists.

Citizen Lab found that the document macro included within that email attachment gathers information about the target system, and eventually opens up the computer to further attack.

"This gives the operator control over the victim's computer, and allows the operator to install additional spyware or perform other activities," Bill Marczak and John Scott-Railton from Citizen Lab write.

In another case involving macros, hackers targeted multiple power distribution companies throughout Ukraine and sent them a malicious Word document. Once victims enabled macros, a piece of malware called BlackEnergy3 infected their computers.

"In the past five years, macro viruses could be considered practically extinct"

In short, macros are often used by attackers to get a more serious piece of malware onto a target's computer, perhaps then to steal documents, passwords, or other information.

Macro-based attacks date way back to the 1990s, and steadily rose in popularity until around 2000, but after then prevalence rates dropped substantially.

"In the past five years, macro viruses (and more generally, macro malware) could be considered practically extinct—thanks mostly to the security improvements that were introduced over that period of time to their main target, the Microsoft Office products," Gabor Szappanos from cybersecurity company Sophos wrote in a 2014 paper. Indeed, macros were eventually disabled by default in Microsoft Office.

Clearly, though, macro-malware is back. And today an attacker using macros has more in common with someone sending phishing emails: They trick the victim into enabling macros through social engineering techniques.

There are ways to mitigate the threat. In March of this year, Microsoft pushed a new feature into Office that would allow system administrators to block the running of macros on their networked machines. And of course, vigilance goes a long way when it comes to social engineering.

But, in the same way that phishing emails continue to be an established form of infection, maybe macro-based attacks are here to stay for a while longer. The 90s is making a comeback, after all.