The use of macros to spread malware has dropped by a whopping 66 percent between October 2021 and June 2022, according to research by cybersecurity experts Proofpoint. However, criminals have found new ways to infect businesses with malware, according to the report, and have increasingly turned to the use of container files.
Prior to Microsoft’s disabling of macros, cybercriminals used them on a large scale to have Office application users automatically execute malicious content. In addition to VBA macros, they primarily used Excel-specific XL4 macros. The masterminds behind macro-based attacks typically rely on social engineering to convince the intended recipient that the content is important and that enabling macros is therefore required to view that content.
Sherrod DeGrippo, Vice President Threat Research and Detection at Proofpoint summarizes the research findings by saying, “The fact that cybercriminals are increasingly forgoing the direct distribution of macro-based file attachments in emails represents a significant shift in the threat landscape. Attackers are instead relying on new tactics to spread malware. The increasing use of file types such as ISO, LNK and RAR can be expected to continue.”
Microsoft blocks macros that have a mark-of-the-Web (MOTW) attribute. This attribute indicates whether a file originated on the Internet and is based on something called the Zone.Identifier. Microsoft applications add this attribute to certain documents when they are downloaded from the Internet.
However, cybercriminals can use container file formats such as ISO (.iso), RAR (.rar), ZIP (.zip) and IMG (.img) to subvert this MOTW-based security feature. Once downloaded, the container files are marked with the MOTW attribute because they were downloaded from the Internet, but the document they contain, such as a macro-enabled spreadsheet, is not marked with the attribute.
When the document is extracted, the user still has to enable macros for the malicious code to run automatically, but the file system will not recognize that the document is from the Internet and thus potentially dangerous.
In addition, criminals are capable of using container files to directly spread a dangerous payload. For this purpose, container files may contain additional content such as LNKs, DLLs or executables (.exe) that lead to the installation of such a payload.
The Curve Is Pointing Upwards
As the graph shows, the use of container files has increased dramatically during the period when the use of macros has decreased:
Proofpoint’s research found a significant drop in macro-enabled documents sent as email attachments in attacks. Between October 2021 and June 2022, their number decreased by more than two-thirds. During the same period, the number of campaigns that used container files as well as Windows Shortcut (LNK) attachments increased – by nearly 175 percent.
This increase is due in part to the growing use of ISO and LNK files in campaigns. Cybercriminals are increasingly using them as an initial access mechanism. This is true, for example, of actors spreading the Bumblebee malware, which has made headlines recently. The use of ISO files increased by more than 150 percent between October 2021 and June 2022. More than half of the 15 cybercriminal groups tracked that used ISO files during this period did not deploy them in campaigns until after January 2022.
The most noticeable change in cybercriminals’ methods is the emergence of LNK files; at least 10 cybercriminal groups have begun using LNK files since February 2022. The number of campaigns containing LNK files has grown by 1,675 percent since October 2021. Proofpoint specialists have observed various cybercriminal and advanced persistent threat (APT) groups increasing their use of LNK files since October 2021.
In particular, the activities of large cybercriminal groups are reflected in Proofpoint’s analysis. For example, the experts observed a surge in the use of XL4 macros in March 2022, bucking the general trend. They attribute this increase to the TA542 group, which spreads the Emotet malware and ran more campaigns in March with a higher message volume than in previous months.
Typically, TA542 uses Microsoft Excel or Word documents that contain VBA or XL4 macros. Emotet activity decreased in April, and in subsequent campaigns TA542 has used additional distribution methods, including Excel Add In (XLL) files and zipped LNK attachments.
The Proofpoint team also observed a slight increase in the use of HTML attachments to spread malware. According to the report, the number of malware campaigns using HTML attachments more than doubled from October 2021 to June 2022, but the total number remains low relative to the other methods described. Cybercriminals are increasingly using “HTML smuggling,” a technique used to “smuggle” encrypted malicious code into a specially crafted HTML attachment or web page.
Cybercriminals are turning away from macro-enabled documents and increasingly using other file types as initial payloads. In particular, ISO and other container file formats, as well as LNK files, are becoming popular. Such file types can bypass Microsoft’s macro protection and facilitate the injection of executables that can lead to data spying and theft, as well as infection with ransomware.
Proofpoint security experts rate this shift as one of the biggest changes in the email threat landscape in recent history. According to them, this tectonic shift is not a short-term trend, but requires permanent changes in enterprises’ cybersecurity strategies.