In a Put up-Macro World, Container Recordsdata Emerge as Malware-Supply Alternative

Risk actors have sharply diminished using one in all their favourite malware distribution techniques following Microsoft’s determination earlier this 12 months to disable Workplace macros in paperwork downloaded from the Web. Nonetheless, container recordsdata have risen to assist cyberattackers get across the challenge.

This pivot is obvious: Within the months since Microsoft’s Oct. 21 announcement that it could disable macros by default, there’s been a 66% decline in risk actor use of VBA and XL4 macros, in response to Proofpoint.

Different safety distributors corresponding to Netskope have additionally noticed a substantial drop in Workplace-based assaults following Microsoft’s transfer. In July 2022, the proportion of Workplace malware that the safety vendor’s cloud safety platform detected was lower than 10% of all malware exercise, in contrast with 35% a 12 months in the past.

Researchers at Proofpoint who’ve been monitoring the pivot to container recordsdata mentioned this week that attackers have begun utilizing a wide range of new file sorts as alternate options to hiding malware in macro-enabled paperwork connected to e mail messages. This significantly contains switching to utilizing recordsdata corresponding to LNK, RAR, IMG and ISO recordsdata of their latest campaigns, in response to the safety vendor.

Patrick Tiquet, vice chairman of safety and structure at Keeper Safety, says researchers at his firm have seen, as an illustration, a rise in assaults utilizing ISO recordsdata. Typically these assaults have focused non-technical workers corresponding to gross sales or customer support representatives, he says. Normally, the attackers attempt to persuade the sufferer to obtain and open the ISO file below the guise of scheduling a gathering

Similar Techniques, Evolving Supply Mechanisms

“Usually talking, these different file sorts are instantly connected to an e mail in the identical manner we’d beforehand observe a macro-laden doc,” says Sherrod DeGrippo, vice chairman of risk analysis and detection at Proofpoint. 

Nonetheless, there are additionally instances the place the assault chains are extra convoluted, she says. For instance, with some latest QakBot (aka Qbot) banking Trojan campaigns, risk actors embedded a zipper file containing an ISO inside an HTML file that was instantly connected to a message. 

However, “as for getting meant victims to open and click on, the strategies are the identical: a big selection of social-engineering techniques,” DeGrippo says.

As well as, she notes that earlier than Microsoft’s macros announcement, a wide range of actors have been already utilizing archives and picture recordsdata to distribute malware, so this isn’t new approach by any means. “[The increased use of container files should be seen as] extra of a realignment or pivot to present strategies that ought to already be accounted for in a defensive posture,” she says.

Getting Previous Mark of the Net Protections

Attackers have made the change as a result of container recordsdata give them a option to sneak malware by the so-called Mark of the Net (MOTW) attribute that Home windows makes use of to tag recordsdata downloaded from the Web, DeGrippo says. 

Such recordsdata are restricted in what they will do and — beginning with Microsoft Workplace 10 — are opened in Protected View by default. 

Executables which were tagged with the attribute are checked in opposition to an inventory of identified trusted recordsdata and prevented from executing routinely if the examine reveals the file to be unknown or untrusted. As a substitute, customers get a warning concerning the file being probably harmful.

“MOTW is metadata saved in an alternate information stream, and customarily talking, that information solely exists for the outermost container: the file instantly downloaded,” DeGrippo tells Darkish Studying. 

The bottom line is that the doc inside a container file — a macro-enabled spreadsheet, as an illustration — won’t be tagged the identical manner. 

“The inside or archived recordsdata weren’t downloaded and, in lots of instances, will then not have any MOTW metadata related to them,” she says. In these cases, a consumer would nonetheless must allow macros for the malicious code to run, however the file wouldn’t be recognized as having come from the Net and due to this fact wouldn’t be thought-about untrusted.

MITRE’s ATT$CK database additionally identifies container recordsdata as a method risk actors can bypass MOTW to ship malicious payloads on course programs. 

“MOTW is a New Expertise File System (NTFS) function and many container recordsdata don’t help NTFS-alternative information streams,” MITRE has famous. “After a container file is extracted and/or mounted, the recordsdata contained inside them could also be handled as native recordsdata on disk and run with out protections.”

Russia’s APT29 gang (aka Cozy Bear) and the TA505 group (the risk actor behind the Locky ransomware variant and the Dridex banking Trojan), are each examples of cyberattackers which have used container recordsdata to subvert MOTW protections and deploy malicious payloads, in response to MITRE.

Simpler to Block

Safety researchers have extensively welcomed Microsoft’s determination to disable macros in recordsdata from the Web. Attackers have lengthy used macros to distribute malware, counting on the truth that customers typically go away macros enabled by default, due to this fact giving them a comparatively simple to execute malicious payloads on sufferer programs. Microsoft itself has urged customers to disable Workplace macros when not wanted citing safety considerations. However the firm didn’t make it a default setting till earlier this 12 months.

DeGrippo says Microsoft’s determination to disable macros as default habits impacts defenders in a optimistic manner even when risk actors are different methods to distribute malware. 

“Organizations usually have a tough time blacklisting filetypes like Phrase and Excel paperwork,” she says. “However one thing like ISOs are sometimes much less important to an organization’s day-to-day operations,” and might due to this fact be extra simply placed on a block listing.

Keeper Safety’s Tiquet agrees. Present endpoint safety programs can block most of those assaults, however “customers should concentrate on and educated about this type of assault,” he says.