Microsoft’s decision to block internet-sourced macros by default last year is forcing attackers to find new and creative ways to compromise systems and deliver malware, according to threat researchers at Proofpoint.
“The cybercriminal ecosystem has experienced a monumental shift in activity and threat behavior over the last year in a way not previously observed by threat researchers,” the security team wrote in a report [PDF] just before the weekend. “Financially motivated threat actors that gain initial access via email are no longer using static, predictable attack chains, but rather dynamic, rapidly changing techniques.”
There were more than 700 cyber campaigns in 2021 that used Visual Basic for Applications (VBA) macros in their attacks, and almost the same number used XL4 macros, which are specific to Excel, the researchers wrote.
No macros for you
After Redmond blocked both types of macros as defaults last year, when downloaded from the internet, to bolster security for Office users, the number of campaigns that used either technique fell almost 66 percent and, in the first three months of this year, “macros have barely made an appearance in campaign data,” Team Proofpoint claimed.
“This change is largely driven by Microsoft blocking macros by default and forcing everyone along the threat actor food chain from small crime commodity actors to the most experienced cybercriminals that enable major ransomware attacks to change the way they conduct business,” according to the researchers.
Instead, miscreants are now finding fresh avenues for gaining initial access into victims’ systems, a number of which we’ve detailed in The Register, including LNK files, ISO and RAR attachments, and Excel XLL add-ins, at least until Microsoft blocked those earlier this year.
Security pros had pushed Microsoft to block downloaded macros as defaults well before Redmond’s move, noting their wide use by cybercriminals. Since the software vendor revisited its defaults, there’s been significant change in behavior and techniques among online criminals, Proofpoint researchers wrote.
They analyzed the telemetry collected from billions of messages a day and researched data from threat campaigns between January 2021 and March 2023.
Cybercriminals distributed macro-enabled documents to targeted users and relied on social engineering techniques to convince victims that the content was important and that enabling macros would be needed to see it. If the message recipients did that, the malware payload was delivered.
They’re now not only shifting away from macros but are testing other methods for gaining initial access through email and there isn’t a consistent and reliable technique that is being widely adopted among miscreants.
In addition, there appears to be a follow-the-leader mentality among the crooks. One or more threat groups will adopt a new technique that within weeks and months will be used by even more miscreants. And that trend promises to continue, Proofpoint suggested.
“Some more sophisticated ecrime actors have the time and resources available to develop, iterate, and test different malware delivery techniques,” the researchers wrote.
The tendency to copy what other threat groups are doing was apparent in the use of LNK files. Before April 2022, few initial access brokers (AIB) – groups that gain access into compromised systems and then sell that access to other cybercriminals, including ransomware operators – used LNK files.
But four threat groups starting using such file, including TA542 to deliver the notorious Emotet malware, and soon others were doing the same until the popularity of LNK began to fade in favor of other methods.
HTML and PDF attachments get popular
Among those is HTML smuggling, whose use accelerated between June and October 2022 before dropping off and then coming back in February. Miscreants use the technique to smuggle encoded malicious script in an HTML attachment. When the attachment is opened, the web browser decodes the script, which assembles the malware on the compromised computer.
They also use PDF files that include a URL that kicks off an attack chain, which has ben in use sincee December, escpecially TA570, which is known for delivering the Qbot banking trojan and info-stealing malware.
TA570 also was seen by Proofpoint experimenting with encrypting PDF attachments in a wide-ranging campaign in April. The group use encryption to make it more difficult for defenders to detect the threat, often successfully.
OneNote documents hit the scene
In December 2022, Proofpoint saw campaigns using OneNote documents to deliver the AsyncRAT remote access trojan. Microsoft’s OneNote is a digital note-taking app in Microsoft 365 used to store information, plans, research, and other data. Within a few months, there were more than 120 campaigns using OneNote files.
The ongoing experimentation with new techniques is going to force threat hunters, malware analysts, and other defenders to quickly adapt, detect campaigns, and create defenses, Proofpoint researchers wrote.
“The experimentation with and regular pivoting to new payload delivery techniques by tracked threat actors, especially IABs, is vastly different from attack chains observed prior to 2022 and heralds a new normal of threat activity,” the researchers wrote.
“It is unlikely there will be a single attack chain or series of techniques that remain consistent or have the same staying power as macro-enabled attachments once had.” ®