After Microsoft Macro malware crackdown, attackers explore new options


A month after Microsoft began rolling out a plan to block macros obtained from the Internet by default, threat actors are using new malware delivery methods for spear-phishing attacks that reduce their reliance on malicious macros.

Ole Villadsen, principal analyst for IBM Security’s X-Force Threat Intelligence team, said that since late last year he has observed attackers increasingly introducing other types of downloaders or droppers. which do not rely on macros, including XLL files, ISO images, Microsoft shortcut files. and MSI files.

“These new file types have been used to distribute Emotet, Qakbot, JSSloader and other payloads,” he said. “In some cases, attackers can experiment with the new file types to get a sense of their effectiveness over previous approaches that rely on macros.

In a recent low-volume Emotet campaign in April, for example, researchers observed attackers using XLL files, a type of dynamic link library (DLL) file designed to augment Excel’s functionality. The campaign showed marked changes from the typical behaviors of the malware, which previously used Microsoft Excel or Word documents containing VBA or XL4 macros. In an April analysis, Proofpoint researchers speculated that the threat actor behind Emotet, TA542, was testing these new tactics on a small scale before rolling them out on a larger level.

“It should be noted that TA542 is interested in new techniques that do not rely on macro-enabled documents, as Microsoft makes it increasingly difficult for threat actors to use macros as an infection vector” , Proofpoint researchers said in an analysis. “Typically, threat actors, including TA542, who use macro-enabled attachments, rely on social engineering to convince a recipient that content is trustworthy, and enabling macros is needed to see it.”

“We have seen indications that several specific and prevalent malware families have recently moved away from document downloaders to different deployment methods that circumvent the changes.”

Microsoft first revealed plans to block macros obtained from the Internet for several Office apps — Access, Excel, PowerPoint, Visio and Word — by default on devices running Windows. The move was seen as a potential game-changer for how attackers launch email attacks. Macros are programs written in Visual Basic for Applications (VBA) that are often used to automate repetitive tasks in Microsoft Office applications. However, cyber criminals exploited them with the end goal of delivering various malicious payloads or stealing sensitive data. The attackers would simply need to send an email to unknown targets with an Office attachment and convince them to enable the malicious macros.

However, Microsoft updates now add additional measures in an effort to make this type of abuse more difficult: if users attempt to enable macros in files obtained from the Internet, a warning message bar from security tells them that Microsoft has blocked macros due to the source of the file being untrusted. End users are then redirected to an article with information on macro security risks, safe practices to prevent phishing, and instructions on how to enable macros.

Sean Gallagher, senior threat researcher at SophosLabs, said researchers are currently seeing a sharp overall decline in document-based droppers – although it’s hard to say whether the move is permanent due to constant changes in the world. course of the past year.

“We’ve seen indications that several specific and prevalent malware families have recently pivoted a bit, moving from document downloaders to different deployment methods that circumvent the changes,” Gallagher said. “Qakbot and IcedID have moved to ISO shipping, while we’ve seen Emotet move to a Windows Shortcuts package that runs Powershell.”

Organizations should be aware that these threats are constantly evolving, Gallagher said, with attackers adjusting their tactics to find the cheapest and most effective way to remove malware.

“Defense in depth – including signature and behavior detection, reputation and network detection, software patches and proper user training on how threats work and how to spot and avoid them – is the best way to reduce the likelihood of a malicious actor’s success,” says Gallagher.


About Author

Comments are closed.