Friday, June 14, 2024

Hackers Use New Tactics To Spread Malware as Microsoft Blocked Macros by Default

As Microsoft Office began blocking malicious macros by default in many of its programs, hackers began to change their tactics after they had previously distributed malware via phishing attachments with malicious macros.

The cybersecurity experts at Proofpoint have claimed that it has now become more common for hackers to use new file types such as:- 

  • ISO
  • RAR
  • Windows Shortcut (LNK) attachments

There are several types of macros that can be created in Microsoft Office programs that automate repetitive tasks. These include VBA macros and XL4 macros. While the threat actors use them in a variety of ways, including:-

  • Malware loading
  • Dropping malware
  • Installing malware

It is because Microsoft announced that they were going to block macros by default on their Office subsystem in order to end the abuse of the subsystem that Microsoft was experiencing.

In this way, the hackers will have a harder time activating them, so the users will be safer. 

Shifting to New Tactics

Compared to the same period last year, macros have been used 66% less, a clear sign that there has been a shift away from macros as a means of distributing payloads.

There is also an increase of almost 175% in the use of container files, which have grown steadily over the past few years. The use of LNK files has been reported by at least 10 different threat actors since February 2022, which is quite a large number.

Since the month of October 2021, there was an increase of 1,675% in the number of campaigns containing LNK files. These new methods have led to the distribution of several notable malware families, including:-

While apart from this, Proofpoint analysts have tracked these events and found that the use of HTML attachments to drop malicious files on the host system has increased significantly in the past year. 

Despite this, they continue to have small distribution volumes despite their growing popularity. It is now becoming more common for threat actors to use a variety of file types in order to gain access to files at the beginning instead of macro-enabled documents. 

LNK files and ISO formats have been adopted due to this change. Microsoft’s macro blocking protection can be bypassed using such filetypes, as well as the distribution of executable files can be simplified.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity updates.


Latest articles

Sleepy Pickle Exploit Let Attackers Exploit ML Models And Attack End-Users

Hackers are targeting, attacking, and exploiting ML models. They want to hack into these...

SolarWinds Serv-U Vulnerability Let Attackers Access sensitive files

SolarWinds released a security advisory for addressing a Directory Traversal vulnerability which allows a...

Smishing Triad Hackers Attacking Online Banking, E-Commerce AND Payment Systems Customers

Hackers often attack online banking platforms, e-commerce portals, and payment systems for illicit purposes.Resecurity...

Threat Actor Claiming Leak Of 5 Million Ecuador’s Citizen Database

A threat actor has claimed responsibility for leaking the personal data of 5 million...

Ascension Hack Caused By an Employee Who Downloaded a Malicious File

Ascension, a leading healthcare provider, has made significant strides in its investigation and recovery...

AWS Announced Malware Detection Tool For S3 Buckets

Amazon Web Services (AWS) has announced the general availability of Amazon GuardDuty Malware Protection...

Hackers Exploiting MS Office Editor Vulnerability to Deploy Keylogger

Researchers have identified a sophisticated cyberattack orchestrated by the notorious Kimsuky threat group.The...
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Free Webinar

API Vulnerability Scanning

71% of the internet traffic comes from APIs so APIs have become soft targets for hackers.Securing APIs is a simple workflow provided you find API specific vulnerabilities and protect them.In the upcoming webinar, join Vivek Gopalan, VP of Products at Indusface as he takes you through the fundamentals of API vulnerability scanning..
Key takeaways include:

  • Scan API endpoints for OWASP API Top 10 vulnerabilities
  • Perform API penetration testing for business logic vulnerabilities
  • Prioritize the most critical vulnerabilities with AcuRisQ
  • Workflow automation for this entire process

Related Articles