(Image by Monoar Rahman Rony/Pixabay)

Microsoft has long disabled macros to avoid possible security risks but cybercriminals have found a way to utilize them in deploying payloads in user desktop systems.

A macro is an automated input sequence that imitates keystrokes or mouse actions. It is typically used to replace a repetitive series of keyboard and mouse actions and is common in spreadsheet and word processing applications like MS Excel and MS Word. The file extension of a macro is commonly .MAC.

In Trend Micro’s blog post, the technique “has signs of continuing what seems to be unfinished development.”

Users are prompted to enable macros to view a certain file sent to them. This is because as mentioned, Microsoft has decided to disable it to prevent it from being used to spread malware. Still, actors have been persistent in using them, which further proves its significance in computing.

Trend Micro explains how the macro searches for compatible desktop shortcuts and “replaces with one that points to its downloaded malware.” As soon as the user clicked on the shortcut, the malware gets to work and deploys its payloads. To illustrate, when the malware finds its target, it changes its links to the one that is intended then activates the malware.

The most targeted shortcuts are the ones frequently used such as Google Chrome, Internet Explorer, Opera, Mozilla Firefox, and Skype.

The malware has the ability to remain unseen once it was downloaded “according to its name and environment from Google Drive and GitHub.” When security experts would check, the malware is nowhere to be found. Once the malware has done its job, “it recovers the original shortcut file to open the correct application again.”

The malware further deceives by using common and established Windows tools like Ammyy Admin and WinRAR to collect the information it needed and “send back via SMTP” or Simple Mail Transfer Protocol.

According to Trend Micro, it saw signs of ongoing activity during its analysis such as changed and updated files. The researchers suspect that “the author is still developing the malware. The malware might still be in the PoC stage and will have further versions.”

While the researchers believe that the malware is still under development and has few victims so far, it suggests that users arm their desktops with endpoint solutions to prevent the criminals from infiltrating their systems.