After Microsoft took precautionary measures by changing the default pattern of its Office macros and by blocking malicious macros to stop threat actors from distributing malware via phishing attachments, hackers took a new course of action by using ISO, RAR, and Windows Shortcut (LNK) file attachments.
Visual Basic Application and Excel 4.0 macros used in Microsoft Office applications are programs created to perform repetitive tasks. Threat actors use macros for installing malware sent as MS Office attachments via phishing emails. Security researchers say that even though Microsoft announced the blocking of malicious macros they took a long time to implement the measures. Meanwhile, hackers gained new ways to access victim devices using Microsoft Office applications.
According to Proofpoint Inc., an American enterprise security company states that hackers changed the type of malicious campaigns by reducing the use of macros to 66% between October 2021 and June 2022 and showed a clear shift to other methods of payload distribution. Meanwhile, they began using container files such as ISO, ZIP, RAR, and LNK at a 175% increase. Security researchers said that the use of LNK files increased by 1675% after February 2022 when Microsoft announced to take measures against default macros. The LNK files were used to execute PowerShell scripts in order to download and install malware remotely because the characteristics of link files are to perform any command by users.
Proofpoint said that hackers would perform an increasing amount of HTML attachments used to drop malicious files on the host’s system. Hackers are using password-protected attachments in their phishing campaigns in order to be not detected by security software. However, it has also created a reduced impact on the targets as they would rarely open password-protected files. Researchers say this is the way the rate of infecting devices with the help of phishing links is reducing and the hackers are running out of options.
