Hackers Change Tactics for New Post-Macro Era

Threat actors are moving away from macro-based attacks to other tactics, in one of the biggest shifts in the email threat landscape in recent history, according to Proofpoint.

Microsoft announced in October 2021 that it would soon block XL4 macros which are specific to Excel. Several months later it said the same about VBA macros, which are used in Office applications. Threat actors typically use social engineering to convince users they need to enable macros to view specific content.

The changes began to roll out this year, and Proofpoint saw an almost immediate reaction from the cybercrime community.

It claimed the use of macro-enabled attachments by threat actors decreased by around 66% between October 2021 and June 2022.

However, ever-resourceful hackers have found a way to bypass Microsoft’s new rules to continue delivering malicious content to victims.

“Microsoft will block VBA macros based on a Mark of the Web (MOTW) attribute that shows whether a file comes from the internet known as the Zone.Identifier. Microsoft applications add this to some documents when they are downloaded from the web,” explained Proofpoint.

“However, MOTW can be bypassed by using container file formats. Threat actors can use container file formats such as ISO, RAR, ZIP and IMG files to send macro-enabled documents.”

The vendor explained that downloaded container files like ISO and RAR will have the MOTW attribute because they were downloaded from the internet, but the document inside, such as a macro-enabled spreadsheet, will not. Once the doc is extracted, the user will still have to enable macros for malicious code to execute, but the file system will not identify the document as coming from the web.

“Additionally, threat actors can use container files to distribute payloads directly. When opened, container files may contain additional content such as LNKs, DLLs, or executable files that lead to the installation of a malicious payload,” Proofpoint added.

As a result, the security vendor has seen the number of malicious campaigns using container file formats surge 176% between October 2021 and June 2022.

These attacks are mainly used for initial access, Proofpoint said.

“Proofpoint researchers assess with high confidence this is one of the largest email threat landscape shifts in recent history,” it concluded. “It is likely threat actors will continue to use container file formats to deliver malware, while relying less on macro-enabled attachments.”

What’s Hot on Infosecurity Magazine?