Thursday, August 11, 2022
LetsAskBinu.com
  • Home
  • Cybersecurity
  • Cyber Threats
  • Hacking
  • Protection
  • Networking
  • Malware
  • Fintech
  • Internet Of Things
No Result
View All Result
LetsAskBinu.com
No Result
View All Result
Home Cybersecurity

Emotet Office Macros Abuse Continues Despite Microsoft Protections

Researcher by Researcher
June 28, 2022
in Cybersecurity
0
Microsoft to Block Macros by Default in Office Apps
189
SHARES
1.5k
VIEWS
Share on FacebookShare on Twitter


Two months after Microsoft started blocking VBA macros obtained from the internet by default, researchers said that attackers are still relying on old delivery methods in the wild after observing hundreds of malicious Office documents being used to download and execute the Emotet malware in June.

Researchers with Netskope said they found 776 malicious spreadsheets submitted between June 9 and June 21 that abuse Excel 4.0 (XLM) macros to download and execute Emotet’s payload. Researchers believe that attackers are skirting the protections by targeting users that either rely on outdated Office versions or that have changed the default setting to explicitly enable macros.

“The fact that attackers are still using Excel 4.0 Macros indicates that there are outdated Office versions and users who have this protection disabled,” said Gustavo Palazolo, staff threat research engineer at Netskope, in a Monday analysis.

Microsoft’s plans to block macros – programs written in Visual Basic for Applications (VBA) that are often used to automate repetitive tasks in Microsoft Office applications – obtained from the internet by default applies to several Office applications for devices running Windows. The move was first rolled out on April 12 as part of the Current Channel (Preview) for version 2203, and was rolled out for the Current Channel in version 2205 starting on June 6. While cybercriminals have previously leveraged macros to deliver various malicious payloads or steal sensitive data, Microsoft’s updates makes this type of abuse more difficult. If users are trying to enable macros in files that are obtained from the internet, a security warning message bar tells them that Microsoft has blocked macros due to the source of the file being untrusted. End users are then pointed to an article containing information about the security risks of macros, safe practices to prevent phishing and instructions on how to enable the macros.

After Microsoft’s protections were introduced earlier this year, researchers noted attackers increasingly introducing other types of downloaders or droppers that do not rely on macros, including XLL files, ISO images, Microsoft shortcut files and MSI files. That includes Emotet, with Netskope researchers observing an Emotet campaign using LNK files instead of Microsoft Office documents in April. At the same time, the use of Microsoft Office files has been steadily decreasing in attacks overall, said Palazolo. In May, Microsoft Office files represented less than 10 percent of malware downloads detected by Netskope researchers, down from 31 percent in January.

“The fact that attackers are still using Excel 4.0 Macros indicates that there are outdated Office versions and users who have this protection disabled.”

However, researchers noted that even as threat actors experiment with these newer delivery methods, attackers do continue to rely on malicious macros. While inspecting the malicious spreadsheets found, Netskope researchers extracted 18 URLs out of the 776 samples observed overall (most of which shared the same URLs and some metadata), including four that were online and ended in the delivery of Emotet. The observed files were being delivered as email attachments with lures that have been commonly used in Emotet campaigns, such as purported quotes for business transactions and medical reports.

If macros were eventually enabled in these attacks despite Microsoft’s protections, malicious obfuscated code in the spreadsheets downloaded the payload from an external URL and executed it with “regsvr32.exe.” The Emotet payload samples associated with these URLs contain slight changes from a sample that had previously been observed by researchers in April. The newer samples use functions to retrieve decrypted strings, and retrieve C2 addresses by parsing the addresses via functions (as opposed to storing the data in the PE .data section), said researchers.

“Attackers are constantly updating their arsenal to often bypass antivirus engines or automated analysis pipelines, which is probably what Emotet developers have done,” explained Palazolo. “However, despite these recent changes, it’s still feasible to detect Emotet and automatically extract its IOCs from a compiled binary.”

Emotet, which began as a banking trojan in 2014, eventually evolved to become a botnet that sent spam emails to victims, in order to install a collection of second-stage payloads (including TrickBot, QakBot and ZLoader) on their devices. Over the past few months, attackers deploying Emotet have adopted various techniques, including the utilization of “unconventional” representations of IP addresses in order to avoid detection, and the installation of Cobalt Strike beacons by Emotet directly, rather than via an intermediate payload first.

In order to mitigate against attacks that deploy Emotet, “we strongly recommend users to update Microsoft Office to its latest versions,” said Palazolo. “Also, IT administrators may also completely block Excel 4.0 (XLM) Macros via Group Policy.”



Source link

Related articles

U.S. Gov Offers $5M Reward For North Korean Cybercrime Intel

How Three Ransomware Groups Targeted One Vulnerable Network

August 11, 2022
High-Severity Flaw in Argo CD is Information Leak Risk

Organizations Warned of Critical Vulnerabilities in NetModule Routers

August 11, 2022
Tags: AbuseContinuesEmotetMacrosMicrosoftOfficeprotections
Share76Tweet47

Related Posts

U.S. Gov Offers $5M Reward For North Korean Cybercrime Intel

How Three Ransomware Groups Targeted One Vulnerable Network

August 11, 2022
0

“This is something we’re seeing affecting more and more organizations, and it’s likely due to an increasingly crowded market for...

High-Severity Flaw in Argo CD is Information Leak Risk

Organizations Warned of Critical Vulnerabilities in NetModule Routers

August 11, 2022
0

Flashpoint is warning organizations of two newly identified critical vulnerabilities in NetModule Router Software (NRSW) that could be exploited in...

Top 5 best backup practices

Top 5 best backup practices

August 10, 2022
0

Give yourself peace of mind by implementing a new backup strategy with our tips. Image: apinan/Adobe Stock You know that...

NVIDIA Fixes High-Severity Flaws in Graphics Drivers For Windows, Linux

Microsoft Fixes Known, Exploited Flaw in Windows Diagnostic Tool

August 10, 2022
0

Microsoft said it fixed a variant of a publicly known vulnerability that was first reported to the company in 2019....

Musk Threatens to Walk Away From Twitter Deal

Jury Finds Ex-Twitter Worker Spied for Saudi Royals

August 10, 2022
0

A former Twitter worker was found guilty on Tuesday of spying for Saudi officials keen to unmask critics on the...

Load More
  • Trending
  • Comments
  • Latest
Brave browser’s Tor mode exposed users’ dark web activity

Brave browser’s Tor mode exposed users’ dark web activity

February 18, 2022
This Week in Fintech: TFT Bi-Weekly News Roundup 08/02

This Week in Fintech: TFT Bi-Weekly News Roundup 15/03

March 15, 2022
QNAP Escalation Vulnerability Let Attackers Gain Administrator Privileges

QNAP Escalation Vulnerability Let Attackers Gain Administrator Privileges

March 15, 2022
A first look at threat intelligence and threat hunting tools

A first look at threat intelligence and threat hunting tools

March 15, 2022
Beware! Facebook accounts being hijacked via Messenger prize phishing chats

Beware! Facebook accounts being hijacked via Messenger prize phishing chats

0
Shoulder surfing: Watch out for eagle‑eyed snoopers peeking at your phone

Shoulder surfing: Watch out for eagle‑eyed snoopers peeking at your phone

0
Remote work causing security issues for system and IT administrators

Remote work causing security issues for system and IT administrators

0
Elementor WordPress plugin has a gaping security hole – update now – Naked Security

Elementor WordPress plugin has a gaping security hole – update now – Naked Security

0
U.S. Gov Offers $5M Reward For North Korean Cybercrime Intel

How Three Ransomware Groups Targeted One Vulnerable Network

August 11, 2022
High-Severity Flaw in Argo CD is Information Leak Risk

Organizations Warned of Critical Vulnerabilities in NetModule Routers

August 11, 2022
Join the SD-WAN webinar: How to Extend Network Visibility and Optimize the SaaS Experience

Join the SD-WAN webinar: How to Extend Network Visibility and Optimize the SaaS Experience

August 11, 2022
Makulu Linux Shift makes shifting between desktop layouts easy

Makulu Linux Shift makes shifting between desktop layouts easy

August 10, 2022

Recent Posts

U.S. Gov Offers $5M Reward For North Korean Cybercrime Intel

How Three Ransomware Groups Targeted One Vulnerable Network

August 11, 2022
High-Severity Flaw in Argo CD is Information Leak Risk

Organizations Warned of Critical Vulnerabilities in NetModule Routers

August 11, 2022
Join the SD-WAN webinar: How to Extend Network Visibility and Optimize the SaaS Experience

Join the SD-WAN webinar: How to Extend Network Visibility and Optimize the SaaS Experience

August 11, 2022

Categories

  • Cyber Threats
  • Cybersecurity
  • Fintech
  • Hacking
  • Internet Of Things
  • Malware
  • Networking
  • Protection

Tags

Access Android attack Attacks banking BiWeekly bug Cisco critical Cyber Cybersecurity Data devices Digital exploited financial Finds Fintech Flaw flaws Google Group Hackers Krebs Latest malware Microsoft million Network News open Payments phishing Ransomware RoundUp security Software TFT Threat Top vulnerability warns Week Windows zeroday

© 2022 Lets Ask Binu All Rights Reserved

No Result
View All Result
  • Home
  • Cybersecurity
  • Cyber Threats
  • Hacking
  • Protection
  • Networking
  • Malware
  • Fintech
  • Internet Of Things

© 2022 Lets Ask Binu All Rights Reserved