Since Microsoft turned off macros in Office apps, attackers are using container file types to deliver malware in one of the biggest threat landscape shifts in recent history. .
After Microsoft announced they will start blocking VBA and XL4 macros by default for Windows Office application late last year, attackers started using container files like ISO and RAR Attachments and Windows shortcut files (LNK) to provide alternative payloads.
“We are seeing behaviors change across the entire threat landscape, and as our researchers mention in the report, they assess with high confidence that this is one of the most significant changes in the threat landscape. largest email threat landscape in recent history,” said Sherrod DeGrippo, vice president of Threat Research and Detection at Proofpoint. “Threats pay attention to what works and what doesn’t, and they are constantly looking for ways to be more effective with their attacks.”
According to security provider Proofpoint, between October 2021 and June 2022, the use of macros to deliver malware dropped by 66%.
VBA macros are used by threat actors to automatically run malicious content when the user has actively enabled macros in Office applications. XL4 macros are specific to the Excel application but can also be weaponized by threat actors, Proofpoint said. Threat actors use social engineering tactics to get users to enable macros, which are necessary to view the contents of a file.
UNDERSTAND: Mobile device privacy policy (TechRepublic Premium)
“Bad actors send macros in Office files to end users who inadvertently activate them, malicious payloads are delivered, and the impact can be severe including malware, compromised identities, data loss and remote access,” Microsoft said in a statement problem-solving blog post.
Site skip sign
Microsoft blocks VBA macros based on a Mark of the Web (MOTW) property called a zone identifier that indicates whether the file comes from the internet, restricted sources, and therefore, if the file can be trusted. The point is that MOTW can be bypassed by using container file formats such as ISO (.iso), RAR (.rar), ZIP (.zip) and IMG (.img) to send macro-enabled documents .
“When downloaded, ISO, RAR, etc files will have the MOTW attribute because they are downloaded from the internet, but the internal document, such as a macro-enabled spreadsheet, will not,” Proofpoint said in a statement. Press Release. “Once the document is unzipped, the user still has to enable macros for the malicious code to execute automatically, but the file system won’t identify the document as coming from the web.”
Attackers can also use container files to deliver payloads directly, Proofpoint said. Container files can obscure LNKs, DLLs, or executables (.exe) resulting in the installation of malicious payloads when opened. Container XLL files, a type of dynamic link library (DLL) file for Excel, have also seen a slight increase in usage after Microsoft announced it would disable XL4 macros in 2021.
UNDERSTAND: Password Breach: Why Pop Culture and Passwords Don’t Go Together (Free PDF) (TechRepublic)
Proofpoint has also reported a small increase in the use of HTML attachments for malware distribution. The number of malware campaigns using HTML attachments more than doubled between October 2021 and June 2022, but the overall number remains low.
“Even though file types have changed, threat actors are still using the same set of social engineering tactics to get people to open and click,” DeGrippo said. “The best defense is a layered approach where people are at the center of your security strategy.”
