VBA + AMSI: evening the score with macro malware

Thursday 4 October 09:30 - 10:00, Red room

Giulia Biagini (Microsoft)

Macro malware made a come-back around mid-2014, since when it has constantly been leveraged to carry out malicious attack campaigns. On the one hand, social engineering is extremely effective at luring users into enabling the macro execution. Meanwhile, obfuscation allows attackers to craft documents that are difficult to detect generically and that can easily evade static signatures.

This talk aims at showcasing the new AMSI support for Office that allows the logging and scanning of macro activity. First, the VBA engine instruments the execution of the macro code by recording the calls to Win32 APIs and to COM methods to a simple textual log; second, AMSI is leveraged to invoke the anti-virus and request a scan of the log whenever any dangerous API or COM method is about to be executed. The anti-virus response determines whether the macro execution can continue or whether it must safely be terminated, to prevent any damage.

The dynamic nature of this solution is designed to avoid all the pitfalls of static scanning, and to provide a powerful means of bypassing code obfuscation completely: the instrumentation can tap into APIs and COM methods being invoked at run-time, hence it has visibility of the names of the objects, functions and parameters involved in the call, even if they don’t appear in the macro source code because they are obfuscated.

In the final part of the presentation, I will explain how the instrumentation works, and I will show examples of how complex, obfuscated macro malware produces neat and tidy logs that are very suitable for writing generic signatures.



Giulia Biagini

Giulia is a security software engineer at the Microsoft Threat Intelligence Center. Her focus is on the design and development of automated monitoring tools with the purpose of detecting malicious behaviours. She works primarily in the context of Office365 ATP. In the past year she has also expanded her focus by contributing to the development of Sysmon and improving the security of the Office suite. She comes from a background in maths, in which she holds a B.Sc. degree from the University of Genoa, and prior to joining Microsoft she obtained an M.Sc. in security and forensics from Dublin City University. Her favourite hobbies are travelling and jogging.


Other VB2018 papers

Keynote address: Customers, suppliers, and the adversaries that come with them

John Lambert (Microsoft)

Fire & ice: making and breaking macOS firewalls

Patrick Wardle (Digita Security)

DOKKAEBI: Documents of Korean and Evil Binary

Jaeki Kim (Financial Security Institute)
Kyoung-Ju Kwak (Financial Security Institute)
Min-Chang Jang (Financial Security Institute)

Back to VB2018 Programme page

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.