Security News > 2020 > December > Threat Actors Increasingly Using VBA Purging in Attacks
Initially detailed in February 2020, VBA purging involves the use of VBA source code only within Office documents, instead of the typically compiled code, and ensures better detection evasion.
Malicious Office documents have VBA code stored within streams of Compound File Binary Format files, with Microsoft's specifications on VBA macros storing VBA data in a hierarchy containing different types of streams.
FireEye submitted to VirusTotal a normal Office document carrying malicious VBA code and a counterpart to which VBA purging had been applied, and noticed that detection rates dropped 67%, which clearly shows the efficiency of the technique.
Using the newly developed detection techniques, the researchers discovered a multitude of documents leveraging VBA purging, created by a wide range of threat actors, some leveraging automation for document generation.
"For as long as companies use Office documents, attackers will be trying to smuggle malicious macros into them. VBA purging represents a recent example of how threat actors continually invent new ways to evade defenders," FireEye concludes.