Attackers are slowly abandoning malicious macros

Malicious macro-enabled documents as vehicles for email-based malware delivery are being used less and less, Proofpoint researchers have noticed. Threat actors are switching to email attachments using Windows Shortcut (LNK) files and container file formats instead.

The popularity decline of malicious macros

“According to an analysis of campaigned threats, which include threats manually analyzed and contextualized by Proofpoint threat researchers, the use of macro-enabled attachments by threat actors decreased approximately 66% between October 2021 and June 2022,” the researchers have shared.

The beginning of the decreasing popularity of malicious macro-enabled files can be traced back to Microsoft’s announcement in late 2021 of its intention to disable Excel 4.0 XLM macros in Microsoft 365 by default.

Then, in February 2022, Microsoft announced the default blocking of VBA macros obtained from the internet for five Office apps that run macros – a change that has been finally implemented last week.

What advantages do container and LNK files offer for attackers?

While macro-enabled documents are still used by attackers, the gradual move to other types of attachments that can bypass Microsoft’s macro blocking protection and facilitate the distribution of executables is undeniable.

Container file formats such as ISO, RAR, ZIP, and IMG files can be used to send macro-enabled documents that won’t be blocked because they don’t have a Mark of the Web (MOTW) attribute – though users still have to enable macros for the malicious code to be executed without their knowledge.

“Additionally, threat actors can use container files to distribute payloads directly. When opened, container files may contain additional content such as LNKs, DLLs, or executable (.exe) files that lead to the installation of a malicious payload,” the researchers noted.

Various attackers have lately been spotted including LNK files in ISO files.

According to the researchers, as least 10 tracked threat actors have begun using LNK files since February 2022 and the number of campaigns containing LNK files increased 1,675% since October 2021.

Other techniques attackers have been trying out include the use of XLL files (a type of DLL file for Excel) and HTML smuggling, i.e., embedding encoded malicious files in a specially crafted HTML attachment or web page – but these are not as widely popular as using container and LNK files.