Threat actors have sharply reduced the use of one of their favorite malware distribution tactics following Microsoft's decision earlier this year to disable Office macros in documents downloaded from the Internet. However, container files have risen to help cyberattackers get around the issue.
This pivot is clear: In the months since Microsoft's Oct. 21 announcement that it would disable macros by default, there's been a 66% decline in threat actor use of VBA and XL4 macros, according to Proofpoint.
Other security vendors such as Netskope have also observed a substantial drop in Office-based attacks following Microsoft's move. In July 2022, the percentage of Office malware that the security vendor's cloud security platform detected was less than 10% of all malware activity, compared with 35% a year ago.
Researchers at Proofpoint who have been tracking the pivot to container files said this week that attackers have begun using a variety of new file types as alternatives to hiding malware in macro-enabled documents attached to email messages. This particularly includes switching to using files such as LNK, RAR, IMG and ISO files in their recent campaigns, according to the security vendor.
Patrick Tiquet, vice president of security and architecture at Keeper Security, says researchers at his company have noticed, for instance, an increase in attacks using ISO files. Often these attacks have targeted non-technical staff such as sales or customer service representatives, he says. Usually, the attackers try to convince the victim to download and open the ISO file under the guise of scheduling a meeting
Same Tactics, Evolving Delivery Mechanisms
"Generally speaking, these other file types are directly attached to an email in the same way we would previously observe a macro-laden document," says Sherrod DeGrippo, vice president of threat research and detection at Proofpoint.
However, there are also cases where the attack chains are more convoluted, she says. For example, with some recent QakBot (aka Qbot) banking Trojan campaigns, threat actors embedded a zip file containing an ISO within an HTML file that was directly attached to a message.
But, "as for getting intended victims to open and click, the methods are the same: a wide array of social-engineering tactics," DeGrippo says.
In addition, she notes that before Microsoft's macros announcement, a variety of actors were already using archives and image files to distribute malware, so this is not new technique by any means. "[The increased use of container files should be seen as] more of a realignment or pivot to existing techniques that should already be accounted for in a defensive posture," she says.
Getting Past Mark of the Web Protections
Attackers have made the switch because container files give them a way to sneak malware through the so-called Mark of the Web (MOTW) attribute that Windows uses to tag files downloaded from the Internet, DeGrippo says.
Such files are restricted in what they can do and — starting with Microsoft Office 10 — are opened in Protected View by default.
Executables that have been tagged with the attribute are checked against a list of known trusted files and prevented from executing automatically if the check shows the file to be unknown or untrusted. Instead, users get a warning about the file being potentially dangerous.
"MOTW is metadata stored in an alternate data stream, and generally speaking, that data only exists for the outermost container: the file directly downloaded," DeGrippo tells Dark Reading.
The key is that the document inside a container file — a macro-enabled spreadsheet, for instance — will not be tagged the same way.
"The interior or archived files were not downloaded and, in many cases, will then not have any MOTW metadata associated with them," she says. In these instances, a user would still need to enable macros for the malicious code to run, but the file would not be identified as having come from the Web and therefore would not be considered untrusted.
MITRE's ATT$CK database also identifies container files as one way threat actors can bypass MOTW to deliver malicious payloads on target systems.
"MOTW is a New Technology File System (NTFS) feature and many container files do not support NTFS-alternative data streams," MITRE has noted. "After a container file is extracted and/or mounted, the files contained within them may be treated as local files on disk and run without protections."
Russia's APT29 gang (aka Cozy Bear) and the TA505 group (the threat actor behind the Locky ransomware variant and the Dridex banking Trojan), are both examples of cyberattackers that have used container files to subvert MOTW protections and deploy malicious payloads, according to MITRE.
Easier to Block
Security researchers have widely welcomed Microsoft's decision to disable macros in files from the Internet. Attackers have long used macros to distribute malware, relying on the fact that users often leave macros enabled by default, therefore giving them a relatively straightforward to execute malicious payloads on victim systems. Microsoft itself has urged users to disable Office macros when not needed citing security concerns. But the company did not make it a default setting until earlier this year.
DeGrippo says Microsoft’s decision to disable macros as default behavior impacts defenders in a positive way even if threat actors are looking at other ways to distribute malware.
"Organizations generally have a hard time blacklisting filetypes like Word and Excel documents," she says. "But something like ISOs are often less essential to a company’s day-to-day operations," and can therefore be more easily put on a block list.
Keeper Security's Tiquet agrees. Current endpoint security systems can block most of these attacks, but "users must be aware of and trained about this kind of attack," he says.