Monday, November 4, 2024
HomeCyber Security NewsHackers Adapting New Unique Way to Overcome Microsoft Default Macro Block

Hackers Adapting New Unique Way to Overcome Microsoft Default Macro Block

Published on

Malware protection

There has been a shift in threat actor behavior in recent years. Observations by threat researchers showed a peak in their change of activities.

Ever since, Microsoft disabled macros by default, which was extensively exploited by threat actors and paved the initial way for ransomware attacks.

In October 2021, Microsoft announced they would block XL4 and VBA macros by default for MS Office users, which was rolled out in 2022. Proofpoint analysis and report showed how threat actors experimented with payload delivery, old file types, and unpredictable attack chains.

- Advertisement - SIEM as a Service

As per the reports from Proofpoint research conducted between January 2021 and March 2023,

  • Threat actors are researching the most effective way to infiltrate, which has no reliable or consistent technique. Multiple methods are in use.
  • A new technique implemented by one threat group is adopted by several other groups later.
  • Several malware delivery methods are under testing phases by many sophisticated e-crime actors.

There has been a downslope in campaigns using macros. Compared to 2021, macros-based campaigns have reduced by up to 66% in 2022. There has been minimal usage of macros-based campaigns in 2023.

Macros-based campaigns [Source: Proofpoint]

Alternatively, ISO attachment-based campaigns were adopted initially, which bypasses the macros restriction, which works around the mark-of-the-web (MOTW) attribute restriction. However, it was fixed by Microsoft in November 2022.

In addition, HTML smuggling, PDF-based campaigns, and OneNote explosions were several other methods that threat actors adopted.

According to February 2023 campaigns, nine different attack chains are followed by threat actors currently.

  • Zip Attachment → OneNote File → HTA → Qbot DLL
  • OneNote Attachment → HTA → CURL → Qbot DLL
  • URL → Zip → OneNote File → HTA → CURL→ Qbot DLL
  • PDF Attachment → Actor-Controlled URL → Zip → ISO → LNK → CMD → EXE → Qbot DLL
  • OneNote Attachment → WSF → JScript → PowerShell → Qbot DLL
  • PDF Attachment → OneDrive URL → JavaScript File → PowerShell → Qbot DLL
  • OneNote Attachment → CMD → PowerShell → Qbot DLL
  • OneNote Attachment → CHM → PowerShell → Qbot DLL
  • HTML Attachment → Pop Up → HTML Smuggling → Zip → Password → IMG → LNK → CMD → REG → WSF → PowerShell → Qbot DLL

A Complete detailed analysis of the report has been published by Proofpoint, which shows various techniques and methods used by threat actors.

Users must be aware when downloading or opening any malicious attachments and be vigilant about these threat actors.

Struggling to Apply The Security Patch in Your System? – 
Try All-in-One Patch Manager Plus

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Evasive Panda Attacking Cloud Services To Steal Data Using New Toolkit

The Evasive Panda group deployed a new C# framework named CloudScout to target a...

Massive Midnight Blizzard Phishing Attack Using Weaponized RDP Files

Researchers warn of ongoing spear-phishing attacks by Russian threat actor Midnight Blizzard targeting individuals...

Sophisticated Phishing Attack Targeting Ukraine Military Sectors

The Ukrainian Cyber Emergency Response Team discovered a targeted phishing campaign launched by UAC-0215...

Chinese Hackers Attacking Microsoft Customers With Sophisticated Password Spray Attacks

Researchers have identified a network of compromised devices, CovertNetwork-1658, used by Chinese threat actors...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

Evasive Panda Attacking Cloud Services To Steal Data Using New Toolkit

The Evasive Panda group deployed a new C# framework named CloudScout to target a...

Massive Midnight Blizzard Phishing Attack Using Weaponized RDP Files

Researchers warn of ongoing spear-phishing attacks by Russian threat actor Midnight Blizzard targeting individuals...

Sophisticated Phishing Attack Targeting Ukraine Military Sectors

The Ukrainian Cyber Emergency Response Team discovered a targeted phishing campaign launched by UAC-0215...