Hackers opt for new attack methods after Microsoft blocked default macros


As Microsoft takes steps to block Excel 4.0 (XLM or XL4) and Visual Basic for Applications (VBA) macros in Office apps by default, malicious actors are responding by refining their new tactics, techniques, and procedures (TTPs).

“Usage of VBA and XL4 macros decreased approximately 66% from October 2021 through June 2022,” Proofpoint said in a report shared with The Hacker News.

Instead, opponents are increasingly turning away from documents containing macros to other alternatives, including container files such as ISO and RAR, as well as Windows Shortcut (LNK) files in malware distribution campaigns.

“Threat actors turning away from directly distributing macro-based attachments in email represents a significant shift in the threat landscape,” Sherrod DeGrippo, vice president of threat research and detection at Proofpoint, said in a statement.

“Threat actors are now adopting new tactics to deliver malware, and the increased use of files such as ISO, LNK and RAR is expected to continue.”

VBA macros embedded in Office documents sent via phishing emails have proven to be an effective technique because it allows threat actors to automatically execute malicious content after tricking a recipient into enabling macros via social media. engineering tactics.

However, Microsoft’s plans to block macros in files downloaded from the Internet have led to email-based malware campaigns experimenting with other ways to bypass Mark of the Web (MOTW) protect and infect victims.

This includes the use of ISO, RAR and LNK file attachments, which have increased by almost 175% over the same period. At least 10 threat actors are reported to have started using LNK files since February 2022.

“The number of campaigns using LNK files has increased by 1.675% since October 2021,” the security firm noted, with HTML attachment attacks more than doubling from October 2021 to June 2022.

Some of the notable families of malware distributed through these new methods include Emotet, IcedID, Qakbot, and Bumblebee.

“In general, these other file types are attached directly to an email in the same way we would previously observe a macro-laden document,” DeGrippo told The Hacker News in an emailed response.

“There are also cases where the attack chains are more complex, for example in some recent Qbot campaigns where a .ZIP with an ISO is embedded in an HTML file that is directly attached to a message.”

“As for target victims’ opening and clicking, the methods are the same: a wide variety of social engineering tactics to get people to open and click. The preventative measures we use for phishing still apply here.”