Hackers Pivoting Around Macro Blocking in Microsoft Office
Microsoft’s default blocking of macros in its Office suite is not stopping hackers. These hackers are now using alternative files to host malicious payloads, now that Microsoft’s primary method of threat delivery is being cut off.
The use of macros-enabled attachments by threat actors has decreased dramatically in the past year, according to new data by Proofpoint revealed in a blog post Thursday. The decrease began when Microsoft announced it would block XL4 macros by default for Excel users. This was followed up with the blocking of VBA macros by default across the Office suite this year.
As Microsoft continues to improve its Office suite security, hackers are increasingly resorting to other file types as vessels for malware, Trend Micro researchers said. Specifically, the company is seeing an increase in the use of “container files” such as ISO and RAR attachments as well as Windows Shortcut (LNK) files.
In the course of eight months, the use of malicious macros in documents dropped by 175 percent. However, malicious containers that include ISO, RAR, and LNK attachments increased by a similar amount.
Hackers are using tricks to avoid detection. They are increasingly using file formats such as ISO, RAR, ZIP, and IMG to send malicious documents. Attackers do this because although the file format itself has a marker, it does not apply to the contents of that file.
When the document is extracted from the email, it is not immediately dangerous. The user must allow macros to run in order for the malware to automatically execute. The file system will still identify the document as a Word document.
In addition, hackers use container files to directly distribute payloads by adding links to malicious content such as DLLs, LNKs, and executable (.exe) files.