Jump to content
  • As Microsoft blocks Office macros, hackers find new attack vectors

    Karlston

    • 320 views
    • 3 minutes
     Share


    • 320 views
    • 3 minutes

    Hackers who normally distributed malware via phishing attachments with malicious macros gradually changed tactics after Microsoft Office began blocking them by default, switching to new file types such as ISO, RAR, and Windows Shortcut (LNK) attachments.

     

    VBA and XL4 Macros are small programs created to automate repetitive tasks in Microsoft Office applications, which threat actors abuse for loading, dropping, or installing malware via malicious Microsoft Office document attachments sent in phishing emails.

     

    The reason for the switch is Microsoft announcing that they would end the massive abuse of the Office subsystem by automatically blocking macros by default and making it harder to activate them.

     

    Although it took Microsoft a little longer to implement this Microsoft Office change, the block finally entered into effect last week.

     

    However, the initial announcement alone convinced malware operators to move away from macros and begin experimenting with alternative methods to infect victims.

    Hackers abandon macros

    In a new report by Proofpoint, researchers looked at malicious campaign stats between October 2021 and June 2022 and identified a clear shift to other methods of payload distribution, recording a decrease of 66% in the use of macros.

     

    At the same time, the use of container files such as ISOs, ZIPs, and RARs has grown steadily, rising by almost 175%.

     

    comparison-graph.png

    Comparison between macros and container files in campaigns (Proofpoint)

     

    The use of LNK files exploded after February 2022, the time of Microsoft’s announcement, increasing by a whopping 1,675% compared to October 2021, and being the weapon of choice of ten individual threat groups tracked by Proofpoint.

     

    lnk-files.png

    Malicious LNK file use rose to unprecedented levels (Proofpoint)

     

    We have reported on the use of LNK files by EmotetQbot, and IcedID, in all cases masquerading as a Word document to trick the recipient into opening it.

     

    However, these link files can be used to execute almost any command the user has permission to use, including executing PowerShell scripts that download and execute malware from remote sources.

     

    Emotet_LNK_PowerShell.jpg

    Windows shortcut running PowerShell command to install Emotet Source: BleepingComputer

     

    Finally, Proofpoint also observed a significant increase in the use of HTML attachments adopting the HTML smuggling technique to drop a malicious file on the host system. However, their distribution volumes continue to remain small.

    Shifting the threat

    While seeing macros becoming an obsolete method of payload distribution and initial infection is a positive development, the threat has merely shifted rather than being addressed or reduced.

     

    The question that needs answers now is how that change impacts the effectiveness of the malware campaigns, as convincing recipients to open .docx and .xls files was a lot easier than asking them to unpack archives and open files whose names end with .lnk.

     

    Furthermore, to bypass detection by security software, many phishing campaigns now password-protect archive attachments, adding another burdensome step a target must take to access the malicious files.

     

    From that perspective, threat actors relying on phishing emails might be running out of good options, and their infection rates may have dropped as a result.

     

    Finally, email security solutions now have a narrower spectrum of potential risks to evaluate, improving their chances of catching a risky file.

     

     

    As Microsoft blocks Office macros, hackers find new attack vectors


    User Feedback

    Recommended Comments

    There are no comments to display.



    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Add a comment...

    ×   Pasted as rich text.   Paste as plain text instead

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...