Friday, July 19, 2024

Hackers Adapting New Unique Way to Overcome Microsoft Default Macro Block

There has been a shift in threat actor behavior in recent years. Observations by threat researchers showed a peak in their change of activities.

Ever since, Microsoft disabled macros by default, which was extensively exploited by threat actors and paved the initial way for ransomware attacks.

In October 2021, Microsoft announced they would block XL4 and VBA macros by default for MS Office users, which was rolled out in 2022. Proofpoint analysis and report showed how threat actors experimented with payload delivery, old file types, and unpredictable attack chains.

As per the reports from Proofpoint research conducted between January 2021 and March 2023,

  • Threat actors are researching the most effective way to infiltrate, which has no reliable or consistent technique. Multiple methods are in use.
  • A new technique implemented by one threat group is adopted by several other groups later.
  • Several malware delivery methods are under testing phases by many sophisticated e-crime actors.

There has been a downslope in campaigns using macros. Compared to 2021, macros-based campaigns have reduced by up to 66% in 2022. There has been minimal usage of macros-based campaigns in 2023.

Macros-based campaigns [Source: Proofpoint]

Alternatively, ISO attachment-based campaigns were adopted initially, which bypasses the macros restriction, which works around the mark-of-the-web (MOTW) attribute restriction. However, it was fixed by Microsoft in November 2022.

In addition, HTML smuggling, PDF-based campaigns, and OneNote explosions were several other methods that threat actors adopted.

According to February 2023 campaigns, nine different attack chains are followed by threat actors currently.

  • Zip Attachment → OneNote File → HTA → Qbot DLL
  • OneNote Attachment → HTA → CURL → Qbot DLL
  • URL → Zip → OneNote File → HTA → CURL→ Qbot DLL
  • PDF Attachment → Actor-Controlled URL → Zip → ISO → LNK → CMD → EXE → Qbot DLL
  • OneNote Attachment → WSF → JScript → PowerShell → Qbot DLL
  • PDF Attachment → OneDrive URL → JavaScript File → PowerShell → Qbot DLL
  • OneNote Attachment → CMD → PowerShell → Qbot DLL
  • OneNote Attachment → CHM → PowerShell → Qbot DLL
  • HTML Attachment → Pop Up → HTML Smuggling → Zip → Password → IMG → LNK → CMD → REG → WSF → PowerShell → Qbot DLL

A Complete detailed analysis of the report has been published by Proofpoint, which shows various techniques and methods used by threat actors.

Users must be aware when downloading or opening any malicious attachments and be vigilant about these threat actors.

Struggling to Apply The Security Patch in Your System? – 
Try All-in-One Patch Manager Plus


Latest articles

Hackers Claiming Dettol Data Breach: 453,646 users Impacted

A significant data breach has been reported by a threat actor known as 'Hana,'...

CrowdStrike Update Triggers Widespread Windows BSOD Crashes

A recent update from cybersecurity firm CrowdStrike has caused significant disruptions for Windows users,...

Operation Spincaster Disrupts Approval Phishing Technique that Drains Victim’s Wallets

Chainalysis has launched Operation Spincaster, an initiative to disrupt approval phishing scams that have...

Octo Tempest Know for Attacking VMWare ESXi Servers Added RansomHub & Qilin to Its Arsenal

Threat actors often attack VMware ESXi servers since they accommodate many virtual machines, which...

TAG-100 Actors Using Open-Source Tools To Attack Gov & Private Orgs

Hackers exploit open-source tools to execute attacks because they are readily available, well-documented, and...

macOS Users Beware Of Weaponized Meeting App From North Korean Hackers

Meeting apps are often targeted and turned into weapons by hackers as they are...

Hackers Exploiting Legitimate RMM Tools With BugSleep Malware

Since October 2023, MuddyWater, which is an Iranian threat group linked to MOIS, has...
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Free Webinar

Low Rate DDoS Attack

9 of 10 sites on the AppTrana network have faced a DDoS attack in the last 30 days.
Some DDoS attacks could readily be blocked by rate-limiting, IP reputation checks and other basic mitigation methods.
More than 50% of the DDoS attacks are employing botnets to send slow DDoS attacks where millions of IPs are being employed to send one or two requests per minute..
Key takeaways include:

  • The mechanics of a low-DDoS attack
  • Fundamentals of behavioural AI and rate-limiting
  • Surgical mitigation actions to minimize false positives
  • Role of managed services in DDoS monitoring

Related Articles