Ever since Microsoft shut down macros in Office apps, attackers have been using container file types to deliver malware in one of the biggest shifts in the threat landscape in recent history.
After Microsoft announced it would block default VBA and XL4 macros for Windows Office late last year, attackers started using container files, such as ISO and RAR attachments and Windows Shortcut Files (LNK) to deliver payloads instead.
“We’re seeing behavioral changes across the threat landscape, and as our researchers note in the report, they judge with great confidence that this is one of the biggest shifts in the email threat landscape in recent history,” said Sherrod DeGrippo, vice president of Threat Research. and detection at Proofpoint. “Threat actors pay attention to what works and what doesn’t, they are constantly looking for ways to be more effective with their attacks.”
According to security vendor Proofpoint, between October 2021 and June 2022, the use of macros to deliver malware payloads decreased by 66%.
VBA macros are used by threat actors to automatically run malicious content when a user has actively enabled macros in Office applications. XL4 macros are specific to the Excel application, but can also be used by threat actors, Proofpoint said. Threat actors use social engineering tactics to get users to enable the macros necessary to view the contents of the file.
TO SEE: Mobile Device Security Policy (Tech Republic Premium)
“Bad actors send macros in Office files to end users who unknowingly enable them, malicious payloads are delivered and the impact can be severe, including malware, compromised identity, data loss and remote access,” Microsoft said in a press release. blog post about the problem.
Bypass Mark of the Web
Microsoft blocks VBA macros based on a Mark of the Web (MOTW) attribute known as a zone ID that indicates whether a file comes from the Internet, a limited resource, and thus whether it can be trusted. The problem is that MOTW can be circumvented by using container file formats such as ISO (.iso), RAR (.rar), ZIP (.zip), and IMG (.img) to send macro-enabled documents.
“When downloaded, the ISO, RAR, etc. files have the MOTW attribute because they were downloaded from the Internet, but the document in them, such as a macro-enabled spreadsheet, does not,” Proofpoint said in a press release. “When the document is extracted, the user still needs to enable macros to run the malicious code automatically, but the file system will not identify the document as coming from the web.”
Attackers can also use container files to directly distribute payloads, Proofpoint said. Container files can hide LNKs, DLLs, or executable files (.exe) that lead to installation of a malicious payload when opened. Container XLL files, a type of Dynamic Link Library (DLL) file for Excel, have also seen a slight increase in usage after Microsoft announced it would disable XL4 macros in 2021.
TO SEE: Password Breach: Why Pop Culture and Passwords Don’t Mix (Free PDF) (TechRepublic)
Proofpoint has also reported a small increase in the use of HTML attachments to deliver malware. The number of malware campaigns with HTML attachments more than doubled between October 2021 and June 2022, but the total number remains low.
“Although file types have changed, threat actors still use the same wide range of social engineering tactics to get people to open and click,” DeGrippo said. “The best defense is a layered approach that puts people at the heart of your security strategy.”
