Two months after Microsoft started blocking VBA macros obtained from the internet by default, researchers said that attackers are still relying on old delivery methods in the wild after observing hundreds of malicious Office documents being used to download and execute the Emotet malware in June.
Researchers with Netskope said they found 776 malicious spreadsheets submitted between June 9 and June 21 that abuse Excel 4.0 (XLM) macros to download and execute Emotet’s payload. Researchers believe that attackers are skirting the protections by targeting users that either rely on outdated Office versions or that have changed the default setting to explicitly enable macros.
“The fact that attackers are still using Excel 4.0 Macros indicates that there are outdated Office versions and users who have this protection disabled,” said Gustavo Palazolo, staff threat research engineer at Netskope, in a Monday analysis.
Microsoft's plans to block macros - programs written in Visual Basic for Applications (VBA) that are often used to automate repetitive tasks in Microsoft Office applications - obtained from the internet by default applies to several Office applications for devices running Windows. The move was first rolled out on April 12 as part of the Current Channel (Preview) for version 2203, and was rolled out for the Current Channel in version 2205 starting on June 6. While cybercriminals have previously leveraged macros to deliver various malicious payloads or steal sensitive data, Microsoft’s updates makes this type of abuse more difficult. If users are trying to enable macros in files that are obtained from the internet, a security warning message bar tells them that Microsoft has blocked macros due to the source of the file being untrusted. End users are then pointed to an article containing information about the security risks of macros, safe practices to prevent phishing and instructions on how to enable the macros.
After Microsoft’s protections were introduced earlier this year, researchers noted attackers increasingly introducing other types of downloaders or droppers that do not rely on macros, including XLL files, ISO images, Microsoft shortcut files and MSI files. That includes Emotet, with Netskope researchers observing an Emotet campaign using LNK files instead of Microsoft Office documents in April. At the same time, the use of Microsoft Office files has been steadily decreasing in attacks overall, said Palazolo. In May, Microsoft Office files represented less than 10 percent of malware downloads detected by Netskope researchers, down from 31 percent in January.
“The fact that attackers are still using Excel 4.0 Macros indicates that there are outdated Office versions and users who have this protection disabled."
However, researchers noted that even as threat actors experiment with these newer delivery methods, attackers do continue to rely on malicious macros. While inspecting the malicious spreadsheets found, Netskope researchers extracted 18 URLs out of the 776 samples observed overall (most of which shared the same URLs and some metadata), including four that were online and ended in the delivery of Emotet. The observed files were being delivered as email attachments with lures that have been commonly used in Emotet campaigns, such as purported quotes for business transactions and medical reports.
If macros were eventually enabled in these attacks despite Microsoft's protections, malicious obfuscated code in the spreadsheets downloaded the payload from an external URL and executed it with “regsvr32.exe." The Emotet payload samples associated with these URLs contain slight changes from a sample that had previously been observed by researchers in April. The newer samples use functions to retrieve decrypted strings, and retrieve C2 addresses by parsing the addresses via functions (as opposed to storing the data in the PE .data section), said researchers.
"Attackers are constantly updating their arsenal to often bypass antivirus engines or automated analysis pipelines, which is probably what Emotet developers have done," explained Palazolo. "However, despite these recent changes, it’s still feasible to detect Emotet and automatically extract its IOCs from a compiled binary."
Emotet, which began as a banking trojan in 2014, eventually evolved to become a botnet that sent spam emails to victims, in order to install a collection of second-stage payloads (including TrickBot, QakBot and ZLoader) on their devices. Over the past few months, attackers deploying Emotet have adopted various techniques, including the utilization of “unconventional” representations of IP addresses in order to avoid detection, and the installation of Cobalt Strike beacons by Emotet directly, rather than via an intermediate payload first.
In order to mitigate against attacks that deploy Emotet, “we strongly recommend users to update Microsoft Office to its latest versions,” said Palazolo. “Also, IT administrators may also completely block Excel 4.0 (XLM) Macros via Group Policy.”