How hackers and threats are adopting to a post-macro world

Macros automate or simplify repetitive and time-consuming tasks in MS Word and MS Excel. But macros also pose a security risk as hackers can embed malicious code in them. Enterprising hackers email malware-embedded macros to unsuspecting users. They promise such users with top-grade functionality to improve productivity or efficiency. Since macros are not flaws that need patching, hackers get away with it. In fact, the promised functionality works as promised. All the hackers need to do is trick the users into downloading it. When the user opens such macros, the malicious code executes. The malicious payloads cause identity theft, loss of sensitive data, and hackers gaining remote access.

Most users cannot detect malicious macros, and many are unaware of the potential risks in the first place. By mid-2021, hackers exploiting the trust of unsuspecting users to gain access to systems became commonplace. A notable incident was threat actor TA542 using macros to deliver the Emotet malware. TA542 had conducted high-volume campaigns in the preceding months.

Microsoft has been restricting macros since 2016 when the threat emerged. By mid-2021, the company decided to stop running macros by default in MS Office.

Microsoft blocked the default run of:

VBA (Visual Basic applications) and XL4 (Excel 4.0) macros in Windows Office applications.
All VBA macros in email attachments and links.

The move reduced the risk of users executing malicious code on their computers inadvertently. Previously, to prevent such risk, admins had to configure domains to block untrusted VBA macros. Admins often overlooked such blocks, and they remained ineffective even when implemented.

Hackers lost a major avenue to inflict user systems with viruses, ransomware, and other malware. Security vendor Proofpoint estimates the use of macros to deliver malware decreased by 66% between October 2021 and June 2022.

But cyber security is ever-evolving. When the doors of macros shut, hackers started adopting new tactics to continue their malicious activities. Here is how hackers evade detection and bypass security measures in the changing threat landscape.

1. Increased reliance on social engineering attacks

Disabling macros by default reduces cyber-attack risks, but it is not a foolproof solution. Users who need macros can still enable them, and such enabled macros come with inherent risks as before.

Hackers have always relied on social engineering tactics to make people click malicious links. They use the all-too-common such as pretexting and phishing, to coax users into enabling macros.

The threat actors especially weaponize VBA macros and XL4 macros in MS Excel.

2. Using containers and Windows shortcut files

When Microsoft disabled XL4 macros for Excel in 2021, hackers came up with alternative sources.

Top on their list is container files, such as. ISO, .RAR, .ZIP, and.IMG file types. The use of ISO, RAR, and LNK files to deliver malware had increased by 175% from October 2021 to June 2022, when the use of macros decreased by 66%.

The use of Windows Shortcut files (.LNK) has also increased. The number of malware campaigns containing .LNK files has grown by a whopping 1,675% since October 2021.

Container files obscure windows shortcut (.LNK), Dynamic Link Libraries (.DLL), and executable (.EXE) files. When users open these files, the malicious payload is installed by itself.

Microsoft blocks VBA macros based on zone identifiers, a Mark of the Web (MOTW) attribute. MOTW attribute makes explicit whether the file comes from the Internet or any restricted source. Typically, this source information reveals whether to trust the file or not. But hackers can embed malware-infested macros in documents inside container files and bypass MOTW.

ISO, RAR, ZIP, and IMG files downloaded from the Internet have the MOTW attribute. But these documents inside the container files, such as macro-enabled spreadsheets, may not have MOTW. When the user extracts such embedded documents, the malicious code executes automatically. The only solace is that the user will still have to enable macros to trigger the malware.

3. Using HTML attachments

With macros no longer an effective way to deliver payloads, hackers turn to HTML smuggling. Here, the attacker encodes malicious script into an HTML attachment. When the victim opens this malicious HTML file, the web browser decodes the embedded malware script. When the malware script executes, it infects the victim machine with the payload.

The number of attacks using HTML attachments as the vehicle to deliver payload have been low so far. But this type of attack has had a steady rise of late. Malware campaigns using HTML attachments doubled from October 2021 to June 2022.

Here again, hackers coax users to click on HTML attachments using social engineering attacks.

4. Compromising legitimate software and tools

Hackers slip in malware through legitimate remote access tools and system administration utilities. Like macros, these tools are not inherently malicious. But hackers may embed malicious payloads in compromised versions and coax users to download it.

Hackers especially favour virtual private servers and web hosting platforms to orchestrate these attacks. The cloud offers anonymity and easy scalability, making detection hard.

The trend is for hackers to focus on more minor, targeted attacks than large-scale attacks. Such smaller attacks are more difficult to detect compared to large-scale attacks. They also use polymorphic malware to deliver their payloads. Polymorphic malware changes appearance and behaviour, making detection and defence difficult.

Defences

The best defence against such heightened threats is due diligence. Due diligence includes:

Downloading macros only from trusted sources
Deploying the latest cyber defences, including network monitoring tools. The latest AI-powered network monitoring tools scan the traffic in real-time. These tools detect anomalies or suspicious behaviour, raise alerts, and nip threats in the bud.
Keeping protocols up-to-date. Regular patch updates close vulnerabilities, preventing the malware from doing any damage.
Spreading awareness. Humans are often the weak link in cyber security. Enterprise users often let their guard down, allowing hackers to sneak in their malicious payload. Awareness and training programs make the workforce more diligent.

Cyber security is a game of cat and mouse between cyber security experts and threat actors. Those who are ahead in innovation succeed. The onus is on cyber security to become more vigilant and introduce new techniques to thwart threat actors. State-of-the-art tools such as ProofPoint offer comprehensive multi-faceted protection that protect enterprise users from malware threats. To put things into perspective, ProofPoint analyses five billion emails a day, drastically reducing email threats to subscribers. Flexible deployment options and dynamic counter-measure tools keep all threats at bay.

Supriyo Sircar

Supriyo has over 30+ years of industry experience and is currently a hands-on entrepreneur running DigiLeap Technologies, a specialist in RPA and in RPA Applications, providing RPA technology project outsourcing as well as staffing services on several RPA products and Diligent line of Banking Compliance products for Enterprise KYC and Identification and Verification. Earlier, Supriyo served as the CEO of Asia Pacific in Polaris, a BFS Technology specialist company based in Singapore and had also headed BFS Strategy and Large Deals based in London, for Virtusa, post Polaris’ acquisition by Virtusa. Prior to this, he was at Scandent Singapore (acquired by XchangeInc – now DXC) and BMC Software in Singapore, Asia and Houston, USA, as well as in Remco Americas, Houston and Unify Corporation across various roles in Sales, Presales, Consulting and Technology Mgmt. Supriyo enjoys independent consulting and is always happy to provide technical advice at SupriyoS@digileap.net.