Attackers are slowly abandoning malicious macros

2022-07-29 10:48

Threat actors are switching to email attachments using Windows Shortcut files and container file formats instead. The popularity decline of malicious macros.

The beginning of the decreasing popularity of malicious macro-enabled files can be traced back to Microsoft's announcement in late 2021 of its intention to disable Excel 4.0 XLM macros in Microsoft 365 by default.

Container file formats such as ISO, RAR, ZIP, and IMG files can be used to send macro-enabled documents that won't be blocked because they don't have a Mark of the Web attribute - though users still have to enable macros for the malicious code to be executed without their knowledge.

"Additionally, threat actors can use container files to distribute payloads directly. When opened, container files may contain additional content such as LNKs, DLLs, or executable files that lead to the installation of a malicious payload," the researchers noted.

Various attackers have lately been spotted including LNK files in ISO files.

Other techniques attackers have been trying out include the use of XLL files and HTML smuggling, i.e., embedding encoded malicious files in a specially crafted HTML attachment or web page - but these are not as widely popular as using container and LNK files.

News URL

https://www.helpnetsecurity.com/2022/07/29/malicious-macros-decline/

#macro