With Microsoft disabling the macros by default, hackers are shifting to new alternative methods of deploying the malware on their target’s computer, says Proofpoint researchers.
They noted the hackers using container file types like ISO, RAR, and Windows Shortcut (LNK) more than the regular Docx and XLS files, since they’re obsolete now with no macros support. Yet, hackers are put to more struggle with the new file types, as they need support from the target to be compromised.
Shifting to Container Files
Up until now, a phishing email used to contain a malicious Word or Excel file from hackers that ask the targets to open and enable macros to make it more viewable. But the actual cause is to run their malware in the background since macros have the ability to do so.
VBA and XL4 macros are small Microsoft programs created to automate repetitive tasks in Office applications. Since these are abused by hackers, Microsoft decided to block them by default in all office apps.
Though this change had gone into effectiveness last week, hackers started shifting to other better means months ago. As noted by the Proofpoint researchers, between October 2021 and June 2022, there was a significant fall in payload distribution using macros.
At the same time, they noted hackers using container file types like ISOs, ZIPs, and RARs grew by almost 175%. The usage of LNK files, especially, exploded after February 2022 by 1,675% compared to October 2021 – becoming the major weapon of choice for ten individual threat groups, says Proofpoint.
We’ve already seen some of the biggest botnet gangs – QBot and Emotet using LNK files in their campaigns, as they can execute almost any command the user has permission to use. They’re preferred to execute PowerShell scripts, which can download and execute malware from remote sources.
Though it’s easy for hackers to find alternatives, they aren’t effective as the regular Docx or XLS files since the container files would require the targets to put some extra effort to make them work.