Since Microsoft’s shutdown of macros in Workplace apps, attackers are utilizing container file varieties to ship malware in one of many largest risk panorama shifts in latest historical past.
After Microsoft introduced it could start blocking VBA and XL4 macros by default for Home windows Workplace functions late final yr, attackers started utilizing container information equivalent to ISO and RAR attachments and Home windows shortcut (LNK) information to ship payloads as a substitute.
“We’re seeing behaviors shift throughout all the risk panorama, and as our researchers point out within the report, they assess with excessive confidence this is without doubt one of the largest electronic mail risk panorama shifts in latest historical past,” stated Sherrod DeGrippo, vp of Risk Analysis and Detection at Proofpoint. “Risk actors take note of what works and what doesn’t, they’re regularly searching for methods to be more practical with their assaults.”
In response to safety vendor Proofpoint, between October 2021 and June 2022, the usage of macros to ship malware payloads decreased by 66%.
VBA macros are utilized by risk actors to mechanically run malicious content material when a person has actively enabled macros in Workplace functions. XL4 macros are particular to the Excel utility however will also be weaponized by risk actors, Proofpoint stated. Risk actors use social engineering ways to get customers to allow the macros, that are essential to view the file’s content material.
SEE: Cell system safety coverage (TechRepublic Premium)
“Unhealthy actors ship macros in Workplace information to finish customers who unknowingly allow them, malicious payloads are delivered, and the influence might be extreme together with malware, compromised identification, knowledge loss, and distant entry,” Microsoft stated in a weblog put up addressing the problem.
Bypassing Mark of the Internet
Microsoft blocks VBA macros based mostly on a Mark of the Internet (MOTW) attribute often called a zone identifier that reveals if a file comes from the web, a restricted supply, and, due to this fact, if it may be trusted. The issue is MOTW can be bypassed by utilizing container file codecs equivalent to ISO (.iso), RAR (.rar), ZIP (.zip) and IMG (.img) to ship macro-enabled paperwork.
“When downloaded, the ISO, RAR, and many others. information could have the MOTW attribute as a result of they have been downloaded from the web, however the doc inside, equivalent to a macro-enabled spreadsheet, won’t,” Proofpoint stated in a press launch. “When the doc is extracted, the person will nonetheless need to allow macros for the malicious code to mechanically execute, however the file system won’t establish the doc as coming from the online.”
Attackers also can use container information to distribute payloads straight, Proofpoint stated. Container information can obscure LNKs, DLLs or executable (.exe) information that result in the set up of a malicious payload when opened. Container XLL information, a sort of dynamic hyperlink library (DLL) file for Excel, have additionally seen a slight improve in use after Microsoft introduced it could disable XL4 macros in 2021.
SEE: Password breach: Why popular culture and passwords don’t combine (free PDF) (TechRepublic)
Proofpoint has additionally reported a small improve in the usage of HTML attachments to ship malware. The variety of malware campaigns utilizing HTML attachments greater than doubled from October 2021 to June 2022 however the general quantity stays low.
“Though the file varieties have modified, risk actors are nonetheless utilizing the identical big range of social engineering ways to get individuals to open and click on,” DeGrippo stated. “One of the best protection is a multi-layered strategy the place persons are on the middle of your safety technique.”
