Microsoft’s attempt to thwart malicious actors from tricking users into executing malware and ransomware, by blocking Visual Basic for Applications (VBA) and Excel 4.0 (XL4) macros by default in its most popular Office applications, has had a profound affect on the cyber criminal landscape, according to data from Proofpoint.
Microsoft first announced plans to start blocking VBA macros in February 2022, with the policy going into effect at the end of April. Its Microsoft Office suite had supported macros for years, but up to that point – while it warned users about the risks of enabling them – they could still do so by clicking a button. This gave rise to a situation where cyber criminals knew very well that they could use macros to deliver malicious payloads via tainted Office files.
Under the policy, users cannot enable macros at the click of a mouse, but instead see a message bar telling them macros are blocked, with options to learn more. They can still enable macros if they like, but doing so now requires them to click through more layers, reducing the possibility that they will accidentally click on a convincing phishing email.
Proofpoint said that by the simple method of adding more friction, threat actors across the spectrum – from small-time players to experienced cyber criminal ransomware gangs – have had to make major changes to how they conduct “business”.
According to its data, in 2022, the total number of campaigns using macros of either kind dropped by two-thirds over the course of 2022, and nearly six months into 2023, macros have barely made an appearance in any observed campaigns.
However, as a result of this, the cyber criminal ecosystem has experienced a “monumental shift” in activity and behaviour in ways never seen before, according to Proofpoint researchers Selena Larson and Joe Wise.
“Financially motivated threat actors that gain initial access via email are no longer using static, predictable attack chains, but rather dynamic, rapidly changing techniques,” wrote Larson and Wise in a newly published whitepaper. “Based on Proofpoint’s … telemetry analysing billions of messages per day, [we] have observed widespread threat actor experimentation in malware payload delivery, using old file types, unexpected attack chains, and a variety of techniques that result in malware infections, including ransomware.”
According to Larson and Wise, threat actors are still testing various behaviours to try to find the most effective method of using email to gain initial access, and no reliable, consistent alternative to macros has yet emerged.
The more sophisticated actors – including ransomware gangs – have been observed developing, iterating and testing new malware delivery tactics, techniques and procedures (TTPs), while elsewhere in the cyber criminal community, a game of “follow-the-leader” seems to be unfolding, with new techniques spreading virally through the underground over time.
HTML smuggling and dirty PDFs
One of the more popular techniques that has seen a dramatic uptick in usage in the past 12 months is HTML smuggling, where the threat actor “smuggles” an encoded script in an HTML attachment which, when opened, is decoded by the victim’s web browser and used to assemble the malware payload.
Use of HTML smuggling rose sharply between June and October 2022 before falling back, and has spiked again since February 2023. Last autumn, and again since March 2023, it has been heavily used by a threat actor tracked by Proofpoint as TA577. TA577 is a particularly prolific, Russian-speaking group that conducts broad targeting across multiple sectors and geographies. It has previously been associated with the use of Sodinokibi – aka REvil – ransomware, which it likely spread via malicious macros. It has possibly now pivoted to association with Black Basta attacks.
Others have been observed falling back on the use of PDF files, which in a typical attack scenario will include a URL that must be clicked to begin the infection chain. Multiple groups working as initial access brokers (IABs) started to ramp up their use of this technique in December 2022, and its prevalence has been increasing since then.
One of the largest cyber crime actors to start using PDF files is TA570, an active affiliate of the Qbot aka Qakbot trojan malware that has been linked to the ProLock and Egregor ransomwares. It has recently been observed sending PDF attachments that direct to a zipped password protected IMG file that contains a shortcut leading to Qbot. In April 2023, it was observed experimenting with PDF encryption, possibly in an attempt to make it harder for security teams and researchers to identify its activity.
“The experimentation with and regular pivoting to new payload delivery techniques by tracked threat actors, especially IABs, is vastly different from attack chains observed prior to 2022 and heralds a new normal of threat activity,” wrote Larson and Wise. “No longer are the most experienced cyber criminal actors relying on one or a few techniques, but rather are frequently developing and iterating new TTPs. The rapid rate of change for many threat actors suggests they have the time, capability, and understanding of the threat landscape to rapidly develop and execute new techniques.”
The current fast pace of TTP evolution is also having an effect on security teams, analysts and researchers, and cyber security developers, who now face the prospect of having to much more quickly identify emergent trends and create new defences to protect against them.
Larson and Wise believe this trend will continue for the foreseeable future, and assessed it is unlikely a single attack chain or series of techniques will emerge that remains consistent – or has the same staying power as macro exploitation once did.