With Microsoft taking steps to dam Excel 4.0 (XLM or XL4) and Visible Fundamental for Functions (VBA) macros by default throughout Workplace apps, malicious actors are responding by refining their new ways, methods, and procedures (TTPs).
“The usage of VBA and XL4 Macros decreased roughly 66% from October 2021 by way of June 2022,” Proofpoint said in a report shared with The Hacker Information.
As a substitute, adversaries are more and more pivoting away from macro-enabled paperwork to different options, together with container recordsdata comparable to ISO and RAR in addition to Home windows Shortcut (LNK) recordsdata in campaigns to distribute malware.
“Menace actors pivoting away from instantly distributing macro-based attachments in e-mail represents a big shift within the risk panorama,” Sherrod DeGrippo, vice chairman of risk analysis and detection at Proofpoint, mentioned in a press release.
“Menace actors at the moment are adopting new ways to ship malware, and the elevated use of recordsdata comparable to ISO, LNK, and RAR is predicted to proceed.”
VBA macros embedded in Workplace paperwork despatched through phishing emails have confirmed to be an efficient approach in that it permits risk actors to mechanically run malicious content material after tricking a recipient into enabling macros through social engineering ways.
Nevertheless, Microsoft’s plans to block macros in recordsdata downloaded from the web have led to email-based malware campaigns experimenting with different methods to bypass Mark of the Internet (MOTW) protections and infect victims.
This entails the usage of ISO, RAR and LNK file attachments, which have surged almost 175% throughout the identical interval. A minimum of 10 risk actors are mentioned to have begun utilizing LNK recordsdata since February 2022.
“The variety of campaigns containing LNK recordsdata elevated 1,675% since October 2021,” the enterprise safety firm famous, including the variety of assaults utilizing HTML attachments greater than doubled from October 2021 to June 2022.
A few of the notable malware households distributed by way of these new strategies encompass Emotet, IcedID, Qakbot, and Bumblebee.
“Usually talking, these different file sorts are instantly hooked up to an e-mail in the identical means we might beforehand observe a macro-laden doc,” DeGrippo informed The Hacker Information in an emailed response.
“There are additionally instances the place the assault chains are extra convoluted, for instance, with some current Qbot campaigns the place a .ZIP containing an ISO is embedded inside an HTML file instantly hooked up to a message.”
“As for getting supposed victims to open and click on, the strategies are the identical: a wide selection of social engineering ways to get folks to open and click on. The preventive measures we use for phishing nonetheless apply right here.”