Since Microsoft’s shutdown of macros in Office apps, attackers are using container file types to deliver malware in one of the largest threat landscape shifts in recent history.
After Microsoft announced it would begin blocking VBA and XL4 macros by default for Windows Office applications late last year, attackers began using container files such as ISO and RAR attachments and Windows shortcut (LNK) files to deliver payloads instead.
“We are seeing behaviors shift across the entire threat landscape, and as our researchers mention in the report, they assess with high confidence this is one of the largest email threat landscape shifts in recent history,” said Sherrod DeGrippo, vice president of Threat Research and Detection at Proofpoint. “Threat actors pay attention to what works and what doesn’t, they’re continually looking for ways to be more effective with their attacks.”
According to security vendor Proofpoint, between October 2021 and June 2022, the use of macros to deliver malware payloads decreased by 66%.
VBA macros are used by threat actors to automatically run malicious content when a user has actively enabled macros in Office applications. XL4 macros are specific to the Excel application but can also be weaponized by threat actors, Proofpoint said. Threat actors use social engineering tactics to get users to enable the macros, which are necessary to view the file’s content.
SEE: Mobile device security policy (TechRepublic Premium)
“Bad actors send macros in Office files to end users who unknowingly enable them, malicious payloads are delivered, and the impact can be severe including malware, compromised identity, data loss, and remote access,” Microsoft said in a blog post addressing the issue.
Bypassing Mark of the Web
Microsoft blocks VBA macros based on a Mark of the Web (MOTW) attribute known as a zone identifier that shows if a file comes from the internet, a restricted source, and, therefore, if it can be trusted. The problem is MOTW can be bypassed by using container file formats such as ISO (.iso), RAR (.rar), ZIP (.zip) and IMG (.img) to send macro-enabled documents.
“When downloaded, the ISO, RAR, etc. files will have the MOTW attribute because they were downloaded from the internet, but the document inside, such as a macro-enabled spreadsheet, will not,” Proofpoint said in a press release. “When the document is extracted, the user will still have to enable macros for the malicious code to automatically execute, but the file system will not identify the document as coming from the web.”
Attackers can also use container files to distribute payloads directly, Proofpoint said. Container files can obscure LNKs, DLLs or executable (.exe) files that lead to the installation of a malicious payload when opened. Container XLL files, a type of dynamic link library (DLL) file for Excel, have also seen a slight increase in use after Microsoft announced it would disable XL4 macros in 2021.
SEE: Password breach: Why pop culture and passwords don’t mix (free PDF) (TechRepublic)
Proofpoint has also reported a small increase in the use of HTML attachments to deliver malware. The number of malware campaigns using HTML attachments more than doubled from October 2021 to June 2022 but the overall number remains low.
“Although the file types have changed, threat actors are still using the same wide array of social engineering tactics to get people to open and click,” DeGrippo said. “The best defense is a multi-layered approach where people are at the center of your security strategy.”