A month after Microsoft started rolling out a plan to block macros obtained from the internet by default, threat actors are utilizing new malware delivery methods for spear-phishing attacks that decrease their reliance on malicious macros.
Ole Villadsen, senior analyst with IBM Security’s X-Force Threat Intelligence team, said that since late last year he has observed attackers increasingly introducing other types of downloaders or droppers that do not rely on macros, including XLL files, ISO images, Microsoft shortcut files and MSI files.
“These new file types have been used to distribute Emotet, Qakbot, JSSloader, and other payloads," he said. "In some cases, attackers may be experimenting with the new file types to get a sense of how well they work compared with previous approaches that rely on macros.”
In a recent low-volume Emotet campaign in April, for instance, researchers observed the attackers using XLL files, a type of dynamic link library (DLL) file that is designed to increase the functionality of Excel. The campaign exhibited marked changes from typical behaviors of the malware, which previously leveraged Microsoft Excel or Word documents that contain VBA or XL4 macros. In an April analysis, Proofpoint researchers speculated that the threat actor behind Emotet, TA542, was testing these new tactics on a small scale before deploying them at a broader level.
"In addition to Emotet, we have observed a variety of actors utilizing XLL files to stage their payloads, including those distributing other high-profile botnets or banking trojans such as Qbot and Ursnif," said Sherrod DeGrippo, vice president of threat research and detection with Proofpoint. "Though not observed since February, an unattributed threat actor also used this technique in campaigns delivering Bazaloader, a malware linked to the deployment of the high-profile ransomware Conti."
However, DeGrippo noted that macros are still being widely used, with over 1.5 million messages being observed over the past thirty days, with either a document containing macros attached or containing a URL leading to the same. In addition, researchers were already observing the regular use of a variety of techniques that bypassed “mark of the web” detection, even before Microsoft's announcement, she said.
“We have seen indications that several specific, prevalent malware families have made a bit of a pivot recently away from document downloaders to different deployment methods that bypass the changes."
In addition to XLL files, the use of ISO files are also on the rise, said DeGrippo.
"Whereas historically they may have been more closely associated with the delivery of commodity malwares such as Agent Tesla and FormBook, since the February announcement we have identified at least 7 actively tracked actor groups making use of the files as part of their delivery chain including those distributing more sophisticated malwares such as IcedID and the recently revealed Bumblebee loader," she said.
Microsoft first unveiled its plans to block macros obtained from the internet by default for several Office applications - Access, Excel, PowerPoint, Visio and Word - on devices running Windows. The move was viewed as a potential gamechanger for how attackers launch email-based attacks. Macros are programs written in Visual Basic for Applications (VBA) that are often used to automate repetitive tasks in Microsoft Office applications. However, cybercriminals have leveraged them with the end goal of delivering various malicious payloads or stealing sensitive data. Attackers would merely need to send an email to unknowing targets with an Office attachment and convince them to enable the malicious macros.
However, Microsoft’s updates now add extra measures with the goal of making this type of abuse more difficult: If users are trying to enable macros in files that are obtained from the internet, a security warning message bar tells them that Microsoft has blocked macros due to the source of the file being untrusted. End users are then pointed to an article containing information about the security risks of macros, safe practices to prevent phishing and instructions on how to enable the macros.
Sean Gallagher, senior threat researcher with SophosLabs, said researchers are seeing a definite overall decline right now in document-based droppers - though it’s hard to say if the move is permanent due to constant changes over the past year.
“We have seen indications that several specific, prevalent malware families have made a bit of a pivot recently away from document downloaders to different deployment methods that bypass the changes,” said Gallagher. “Qakbot and IcedID have moved to ISO delivery, while we’ve seen Emotet move to a Windows shortcut package that executes Powershell.”
Organizations need to be cognizant that these threats evolve constantly, said Gallagher, with attackers adjusting their tactics to find the least expensive and most effective way to drop malware.
"Defense in depth - including signature and behavior detection, reputation and network detection, software patching, and good user education about how threats work and how to spot and avoid them - is the best way to reduce the probability of a malware actor's success," said Gallagher.