Microsoft’s decision to block macros from Internet sources by default last year is forcing attackers to find innovative new ways to compromise systems and deliver malware, according to threat researchers at Proofpoint.
“The cybercriminal ecosystem has seen a massive shift in activity and threat behavior over the past year in a way previously unnoticed by threat researchers,” the security team wrote in a report. [PDF] Just before the end of the week. “Financially motivated threat actors who gain initial access via email are no longer using static and predictable attack chains, but rather dynamic and rapidly changing techniques.”
The researchers write that there were more than 700 cyber campaigns in 2021 that used Visual Basic for Applications (VBA) macros in their attacks, and about the same number used XL4 macros, which are specific to Excel.
There are no macros for you
After Redmond blocked both types of macros as default last year, when downloaded from the Internet, to enhance security for Office users, the number of campaigns using either method dropped by nearly 66 percent, and in the first three months of this year, “macros are barely appeared in campaign statements,” the Proofpoint team claimed.
“This change is largely driven by Microsoft banning macros by default and forcing everyone along the threat actor’s food chain from small crime actors to more experienced cybercriminals enabling major ransomware attacks to change the way they conduct business,” According to the researchers.
Instead, miscreants are now finding new ways to gain raw access to victims’ systems, and we’ve detailed a number of them logincluding LNK files, ISO and RAR attachments, and Excel XLL add-ins, at least until Microsoft banned those functions earlier this year.
Security professionals pushed Microsoft to block downloaded macros as default settings long before Redmond’s move, citing their widespread use by cybercriminals. Since the software vendor reconsidered its default settings, Proofpoint researchers write, there has been a significant change in behavior and methods among cybercriminals.
They analyzed telemetry collected from billions of messages per day and looked at data from threat campaigns between January 2021 and March 2023.
Cybercriminals distributed heavily enabled documents to targeted users and relied on social engineering techniques to convince victims that the content was important and that enabling macros would be necessary to see it. If the recipients of the message do so, the malware payload will be delivered.
Now they’re not just moving away from macros, they’re experimenting with other methods of raw email access and there’s no consistent, reliable technology that’s widely adopted among the miscreants.
In addition, there seems to be a leader-following mentality among scammers. One or more threat groups will adopt a new tactic that will be used in a matter of weeks and months by more miscreants. Proofpoint suggested that this trend promises to continue.
“Some of the most sophisticated players in the ecrime space have the time and resources available to develop, iterate, and test various malware delivery technologies,” the researchers wrote.
The tendency to copy what other threat groups do was evident in the use of LNK files. Prior to April 2022, a few Access Initial Intermediaries (AIB) – groups that gain access to compromised systems and then sell that access to other cybercriminals, including ransomware operators – were using LNK files.
But four threat groups began using such a file, including TA542 to deliver the infamous Emotet malware, and soon others were doing the same until LNK’s popularity began to wane in favor of other methods.
HTML and PDF attachments are becoming popular
Among these is HTML smuggling, whose use accelerated between June and October 2022 before tapering off and then returning in February. Miscreants use this technique to smuggle malicious scripts encoded in an HTML attachment. When the attachment is opened, the web browser decrypts the script that collects the malware on the compromised computer.
They also use PDFs that include the URL that triggers an attack string, which have been in use since December, particularly TA570, which is known to deliver the Qbot banking and information-stealing Trojan.
The TA570 was also seen by Proofpoint experimenting with encrypting PDF attachments in a large-scale campaign in April. The group uses encryption to make it more difficult for defenders to detect the threat, often successfully.
OneNote docs are on the scene
In December 2022, Proofpoint saw campaigns using OneNote documents to deliver an AsyncRAT remote access Trojan. OneNote from Microsoft is a digital note-taking application in Microsoft 365 that is used to store information, plans, research, and other data. In a few months, there were more than 120 campaigns using OneNote files.
Proofpoint researchers write that continuous experimentation with new technologies will force threat hunters, malware analysts, and other defenders to quickly adapt, discover campaigns, and build defenses.
“The experimentation and systematic shift to new payload delivery techniques by tracked threat actors, particularly IABs, differs significantly from attack chains observed prior to 2022 and heralds a new normal for threat activity,” the researchers wrote.
“It is unlikely that there will ever be a single attack chain or series of methods that remains consistent or has the same staying power as macro-enabled attachments before.” ®
#macros #problem #bastards #adjust