VBA Stomping

VBA stomping – attacks via precompiled code

Do you know the grandchild trick? Ever heard of it?

Did you know that this approach also works with VBA macros?

A macro pretends to be something completely harmless, and in reality something completely different is hiding behind it. And as you can probably guess, this is not used to let you go home early.

How do these attacks work?

An attacker creates a VBA macro via MS Office with malicious code. He compiles the macro via Office. Office saves the precompiled code in the VBA project.

In the second step, the macro code can be manipulated so that the plain text of the macro appears harmless. This must happen without MS-Office, so that the precompiled code is preserved.

If the document manipulated in this way is opened and the code is executed, then only the precompiled malicious code is executed and not the code in plain text!

In the default settings of Office, the user is asked whether he wants to activate the macro, but even if he opens the VBA editor and reads through the code, he cannot see the precompiled code!

How can you protect yourself from such attacks?

The safest protection – apart from completely disabling VBA macros – is digitally signed macros.

If a macro is digitally signed, then the precompiled code is disregarded. Office checks the plain text and compares it with the signature. Then the code is precompiled and executed.

It would be even better to remove the precompiled code so that these attacks are completely prevented.

Our tools support you to be prepared against these attacks as well.

The automated appending/removing of digital signatures has now been extended to include the deletion of the precompiled code.

Use our solution for your increased security.

As a specialist with decades of experience, we deal with increasing IT security every day. Our solution OVSC (Office VBA Security & Compliance) creates clarity and transparency in your shadow IT. We are happy to support you in becoming a little more secure. You can find the contact to us HERE.