Proofpoint researchers have highlighted a new trend in cybercriminal behavior over the past year as a result of Microsoft’s decision to block internet-sourced macros by default. According to the security team’s latest report, there has been a monumental shift in activity and threat behavior within the cybercriminal ecosystem, which is forcing attackers to find new and creative ways to compromise systems and deliver malware.
As previously reported, Microsoft blocked Visual Basic for Applications (VBA) and XL4 macros as defaults last year to bolster security for Office users. Since then, the number of campaigns using either technique has fallen by 66%. However, cybercriminals are now finding fresh avenues for gaining initial access into victims’ systems by using LNK files, ISO and RAR attachments, XLL add-ins, and more recently, OneNote documents.
Proofpoint researchers revealed that there were over 700 cyber campaigns in 2021 that used VBA macros, and almost the same number used XL4 macros in their attacks. However, in the first three months of 2023, “macros have barely made an appearance in campaign data” since the change in Microsoft’s default settings.
It’s worth noting that security pros had pushed Microsoft to block downloaded macros as defaults well before Redmond’s move, as they were widely used by cybercriminals. Since the software vendor revisited its defaults, there has been significant change in behavior and techniques among online criminals, according to the researchers.
Initially, cybercriminals would distribute macro-enabled documents to targeted users and rely on social engineering techniques to convince victims that the content was important and that enabling macros was needed to access it, thus delivering the malware payload.
Cybercriminals are now shifting away from macros and testing other methods for gaining initial access through email, and there isn’t one consistent and reliable technique that is being widely adopted among miscreants. Cybercriminals have been experimenting with new payload delivery techniques, especially IABs. Several sophisticated e-crime actors have the time and resources available to develop and test different malware delivery techniques.
Miscreants are now using HTML smuggling, PDF files that include a URL that kicks off an attack chain, and OneNote documents to deliver the AsyncRAT remote access trojan. HTML smuggling, whose use accelerated between June and October 2022 before dropping off and returning in February, is a technique that miscreants use to smuggle encoded malicious script in an HTML attachment.
The tendency to copy what other threat groups are doing was evident in the use of LNK files. Before April 2022, few initial access brokers (AIB), groups that gain access into compromised systems and then sell that access to other cybercriminals, including ransomware operators, used LNK files. But once four threat groups began using such files, including TA542 to deliver the notorious Emotet malware, others started doing the same until the popularity of LNK began to fade in favor of other methods.
The ongoing experimentation with new techniques is going to force threat hunters, malware analysts, and other defenders to quickly adapt, detect campaigns, and create defenses, Proofpoint researchers wrote. They believe that the experimentation with and regular pivoting to new payload delivery techniques by tracked threat actors, especially IABs, is vastly different from attack chains observed before 2022 and heralds a new normal of threat activity. Furthermore, they believe that it is unlikely that there will be a single attack chain or series of techniques that remain consistent or have the same staying power as macro-enabled attachments once did.