Is this the twilight of one of the techniques most used by cybercriminals? According to cybersecurity firm Proofpoint, between October 2021 and June 2022, attackers decreased their use of VBA and XL4 macros by 66%. Behind these technical names is a command system integrated into Microsoft Office software (Word, Excel, Powerpoint…), which allows users to automate certain tasks such as updating figures from a database. or report writing.
Essential to the functioning of the HR and marketing divisions of thousands of companies, macros have also been exploited massively since the 2010s by cybercriminals, to the point of becoming the most widely used mechanism for initial infection of victims. After years without directly addressing the problem, Microsoft has been working on it since October 2021, with success. According to Proofpoint, this is “one of the biggest changes in the email threat environment in recent historyProblem: criminals are already switching their efforts to other infection techniques.
The trap of Office macros finally disarmed
In February 2022, Microsoft quietly announced that it would change the default macro setting on Office files received over the Internet. This highly anticipated change has been welcomed by the entire cybersecurity community. Concretely, the editor modified a button, which allowed each user to manually activate the macros. If the file contained a malicious macro, a simple click on the “yes” box of the message that was displayed when opening the document, and the damage was done. Since the change, this interaction is no longer possible. From now on, the user must contact the administrator of his computer network to activate the macros, which drastically limits the risks of falling into the trap and launching the deployment of malicious software.
If the largest cybercriminal groups like Emotet or Dridex have exploited this attack technique so much, it is because it brought together many advantages. First, it allowed them to bypass email services’ antivirus detection tools. And for good reason: the malicious Excel or Word file does not contain the virus strain itself. The macro is just a command, which will download and start the malware installation when activated. However, detecting the intentions of the macro requires a high level of analysis, difficult to automate, especially since cybercriminals have methods to obstruct the understanding of their macros.
Then, this method of infection requires little technical skills, which makes it possible to mobilize a large workforce of neophyte criminals. It only takes a few brains to create the macros and set up the infrastructure for the infection, then anyone can launch the attacks. All you have to do is write a convincing email (posing as a colleague or a client, for example), which encourages the target to open the attachment and activate the macros. The more this email will be personalized for the victim, the more likely it will be to hit the mark.
Cybercriminals are adapting
From the first announcements from Microsoft in October, cybercriminals began to adapt their methods. According to the Proofpoint researchers, they have turned to the use of “container files” – such as ISO (.iso), RAR (.rar) or ZIP (.zip) files – capable of encompassing other files, in order to circumvent the new blocking of macros. In detail, these extensions prevent Office suite software from applying the “Mark of the Web” (MOTW) tag to the file that contains the malicious macro. However, it is this attribute that indicates that a file has been downloaded from the Internet, which will activate the default blocking of macros.
Concretely, when the victim downloads a ZIP or ISO file, the latter will receive the MOTW marker. But if the victim unpacks the .zip, the documents it contains will not have the tag, since they will not be considered downloaded from the Internet. Cybercriminals can therefore use this Trojan-like system to embed an Excel file with malicious macros, which the victim can activate because the new protection will not be activated. The container can also transport files in .lnk, .dll or .exe, which directly contain the virus.
However, this new method has some disadvantages. They require an extra click from the victim, which gives them more time to realize that the file is suspicious. Then, users will be more wary of a file with an extension they don’t know than a Word or Excel file as they open several of them a day. Suffice to say that the change made by Microsoft has complicated the task of cybercriminals.