Hackers Use New Tactics To Spread Malware as Microsoft Blocked Macros by Default

As Microsoft Office began blocking malicious macros by default in many of its programs, hackers began to change their tactics after they had previously distributed malware via phishing attachments with malicious macros.

The cybersecurity experts at Proofpoint have claimed that it has now become more common for hackers to use new file types such as:- 

  • ISO
  • RAR
  • Windows Shortcut (LNK) attachments

There are several types of macros that can be created in Microsoft Office programs that automate repetitive tasks. These include VBA macros and XL4 macros. While the threat actors use them in a variety of ways, including:-

  • Malware loading
  • Dropping malware
  • Installing malware

It is because Microsoft announced that they were going to block macros by default on their Office subsystem in order to end the abuse of the subsystem that Microsoft was experiencing.

In this way, the hackers will have a harder time activating them, so the users will be safer. 

Shifting to New Tactics

Compared to the same period last year, macros have been used 66% less, a clear sign that there has been a shift away from macros as a means of distributing payloads.

There is also an increase of almost 175% in the use of container files, which have grown steadily over the past few years. The use of LNK files has been reported by at least 10 different threat actors since February 2022, which is quite a large number.

Since the month of October 2021, there was an increase of 1,675% in the number of campaigns containing LNK files. These new methods have led to the distribution of several notable malware families, including:-

While apart from this, Proofpoint analysts have tracked these events and found that the use of HTML attachments to drop malicious files on the host system has increased significantly in the past year. 

Despite this, they continue to have small distribution volumes despite their growing popularity. It is now becoming more common for threat actors to use a variety of file types in order to gain access to files at the beginning instead of macro-enabled documents. 

LNK files and ISO formats have been adopted due to this change. Microsoft’s macro blocking protection can be bypassed using such filetypes, as well as the distribution of executable files can be simplified.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity updates.

Tags: Malware
Balaji

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Recent Posts

Beware Of Weaponized Air Force invitation PDF Targeting Indian Defense And Energy Sectors

EclecticIQ cybersecurity researchers have uncovered a cyberespionage operation dubbed "Operation FlightNight" targeting Indian government entities and energy companies.  The attackers,…

1 hour ago

WarzoneRAT Returns Post FBI Seizure: Utilizing LNK & HTA File

The notorious WarzoneRAT malware has made a comeback, despite the FBI's recent efforts to dismantle its operations. Initially detected in…

1 hour ago

Google Revealed Kernel Address Sanitizer To Harden Android Firmware And Beyond

Android devices are popular among hackers due to the platform’s extensive acceptance and open-source nature. However, it has a big…

2 hours ago

Compromised SaaS Supply Chain Apps: 97% of Organizations at Risk of Cyber Attacks

Businesses increasingly rely on Software as a Service (SaaS) applications to drive efficiency, innovation, and growth. However, this shift towards…

2 hours ago

IT and security Leaders Feel Ill-Equipped to Handle Emerging Threats: New Survey

A comprehensive survey conducted by Keeper Security, in partnership with TrendCandy Research, has shed light on the growing concerns within…

5 hours ago

How to Analyse .NET Malware? – Reverse Engineering Snake Keylogger

Utilizing sandbox analysis for behavioral, network, and process examination provides a foundation for reverse engineering .NET malware.  The write-up outlines…

6 hours ago