Cybercriminals have adapted since Microsoft’s decision to block macros
Microsoft’s decision to disable macros by default has resulted in “vastly different … attack chains” from cybercriminals and a “new normal of threat activity,” researchers with the cybersecurity firm Proofpoint said Friday.
Macros — which enable certain automation in particular file types — were long a favorite way for hackers to lace documents with malicious scripts to download malware onto targeted systems during email phishing campaigns, the researchers said in a new report. But after Microsoft’s February 2022 decision, which the company fully implemented by July, attacks enabled through macros have dropped off precipitously, the researchers said in a report published Friday ahead of a talk at the Sleuthcon cybercrime conference in Arlington, Virginia.
The analysis based off data gathered and analyzed between January 2021 through March 2023 notes that phishing campaigns relying on macros dropped nearly 66%, “and so far in 2023, macros have barely made an appearance in campaign data.”
A class of cybercriminal known as initial access brokers for their role in gaining access to victim assets and then selling it to others have nevertheless adapted. Proofpoint said its telemetry allows for analyzing billions of messages per day, revealing “widespread threat actor experimentation in malware payload delivery, using old filetypes, unexpected attack chains, and a variety of techniques that result in malware infections, including ransomware.”
In July, Proofpoint took an initial look at the reaction to the changes to macros, finding that attackers pivoted to using container files such as ISO and RAR, and Windows Shortcut (LNK) files to distribute malware. A Microsoft update in November addressed part of the issue that made ISO files an attractive delivery method “and the use of ISO files by prominent ecrime threat actors declined significantly,” the researchers said. Similarly, LNK files were “initially favored as a technique,” but their use peaked in June and September 2022.
Another tactic, known as HTML smuggling, increased “dramatically” between June and October 2022, and rebounding in February 2023. A tactic that has been observed in various places in recent years, HTML smuggling describes a scenario where attackers smuggle encoded malicious scripts in HTML attachments. Since October, the researchers said, the tactic has emerged in campaigns associated with unknown threat groups.
A tried and true method is also on the rise: malicious PDF file attachments. The researchers noted seeing multiple initial access brokers use PDF files starting in December 2022, with the use spiking in the beginning of 2023. In April 2023, a group Proofpoint tracks as TA570 — a known group associated with the Qakbot trojan and credential theft malware — was experimenting with PDF encryption, the researchers said, “which may have been an experiment from the actor to increase the difficultly for defenders to identify and block threats.”
TA570 serves as a good case study for the ongoing experimentation in the space, the researchers said, as the group “almost exclusively” used macros in campaigns to deliver malware. Since then, the group has experimented with as many as six different and unique attacks chains in one month, including HTML smuggling, malicious PDFs, and various other file types.
“The experimentation with and regular pivoting to new payload delivery techniques by tracked threat actors, especially [initial access brokers], is vastly different from attack chains observed prior to 2022 and heralds a new normal of threat activity,” the researchers concluded. “No longer are the most experienced cybercriminal actors relying on one or a few techniques, but rather are frequently developing and iterating new TTPs. The rapid rate of change for many threat actors suggests they have the time, capability, and understanding of the threat landscape to rapidly develop and execute new techniques.”