After Microsoft Macro Malware Crackdown, Attackers Explore New Options | #firefox | #chrome | #microsoftedge

A month after Microsoft started rolling out a plan to block macros obtained from the internet by default, threat actors are utilizing new malware delivery methods for spear-phishing attacks that decrease their reliance on malicious macros.

Ole Villadsen, senior analyst with IBM Security’s X-Force Threat Intelligence team, said that since late last year he has observed attackers increasingly introducing other types of downloaders or droppers that do not rely on macros, including XLL files, ISO images, Microsoft shortcut files and MSI files.

“These new file types have been used to distribute Emotet, Qakbot, JSSloader, and other payloads,” he said. “In some cases, attackers may be experimenting with the new file types to get a sense of how well they work compared with previous approaches that rely on macros.”

In a recent low-volume Emotet campaign in April, for instance, researchers observed the attackers using XLL files, a type of dynamic link library (DLL) file that is designed to increase the functionality of Excel. The campaign exhibited marked changes from typical behaviors of the malware, which previously leveraged Microsoft Excel or Word documents that contain VBA or XL4 macros. In an April analysis, Proofpoint researchers speculated that the threat actor behind Emotet, TA542, was testing these new tactics on a small scale before deploying them at a broader level.

“It is notable that TA542 is interested in new techniques that do not rely on macro-enabled documents as Microsoft is making it increasingly difficult for threat actors to use macros as an infection vector,” said Proofpoint researchers in an analysis. “Typically, threat actors including TA542 that use macro-enabled attachments rely on social engineering to convince a recipient the content is trustworthy, and enabling macros is necessary to view it.”

“We have seen indications that several specific, prevalent malware families have made a bit of a pivot recently away from document downloaders to different deployment methods that bypass the changes.”

Microsoft first unveiled its plans to block macros obtained from the internet by default for several Office applications – Access, Excel, PowerPoint, Visio and Word – on devices running Windows. The move was viewed as a potential gamechanger for how attackers launch email-based attacks. Macros are programs written in Visual Basic for Applications (VBA) that are often used to automate repetitive tasks in Microsoft Office applications. However, cybercriminals have leveraged them with the end goal of delivering various malicious payloads or stealing sensitive data. Attackers would merely need to send an email to unknowing targets with an Office attachment and convince them to enable the malicious macros.

However, Microsoft’s updates now add extra measures with the goal of making this type of abuse more difficult: If users are trying to enable macros in files that are obtained from the internet, a security warning message bar tells them that Microsoft has blocked macros due to the source of the file being untrusted. End users are then pointed to an article containing information about the security risks of macros, safe practices to prevent phishing and instructions on how to enable the macros.

Sean Gallagher, senior threat researcher with SophosLabs, said researchers are seeing a definite overall decline right now in document-based droppers – though it’s hard to say if the move is permanent due to constant changes over the past year.

“We have seen indications that several specific, prevalent malware families have made a bit of a pivot recently away from document downloaders to different deployment methods that bypass the changes,” said Gallagher. “Qakbot and IcedID have moved to ISO delivery, while we’ve seen Emotet move to a Windows shortcut package that executes Powershell.”

Organizations need to be cognizant that these threats evolve constantly, said Gallagher, with attackers adjusting their tactics to find the least expensive and most effective way to drop malware.

“Defense in depth – including signature and behavior detection, reputation and network detection, software patching, and good user education about how threats work and how to spot and avoid them – is the best way to reduce the probability of a malware actor’s success,” said Gallagher.



Original Source by [author_name]

Leave a Reply

Your email address will not be published.

seven + = twelve