Blocking Macros Is Only the First Step in Defeating Malware

But it's a move in the right direction

  • Microsoft’s decision to block macros will rob threat actors of this popular means for distributing malware.
  • However, researchers note that cybercriminals have already changed tacks and significantly reduced using macros in recent malware campaigns.
  • Blocking macros is a step in the right direction, but at the end of the day, people need to be more vigilant to avoid getting infected, suggest experts.
A Microsoft computer displaying a warning about a malicious file.
Ed Hardie / Unsplash.

While Microsoft took its own sweet time deciding to block macros by default in Microsoft Office, threat actors were quick to work around this limitation and devise new attack vectors.

According to new research by security vendor Proofpoint, macros are no longer the favorite means of distributing malware. The use of common macros decreased by approximately 66% between October 2021 to June 2022. On the other hand, the use of ISO files (a disc image) registered an increase of over 150%, while the use of LNK (Windows File Shortcut) files increased a staggering 1,675% in the same timeframe. These file types can bypass Microsoft's macro blocking protections.

"Threat actors pivoting away from directly distributing macro-based attachments in email represents a significant shift in the threat landscape," Sherrod DeGrippo, Vice President, Threat Research and Detection at Proofpoint, said in a press release. "Threat actors are now adopting new tactics to deliver malware, and the increased use of files such as ISO, LNK, and RAR is expected to continue."

Moving With the Times

In an email exchange with Lifewire, Harman Singh, Director at cybersecurity service provider Cyphere, described macros as small programs that can be used to automate tasks in Microsoft Office, with XL4 and VBA macros being the most commonly used macros by Office users. 

From a cybercrime perspective, Singh said threat actors can use macros for some pretty nasty attack campaigns. For instance, macros can execute malicious lines of code on a victim's computer with the same privileges as the logged-in person. Threat actors can abuse this access to exfiltrate data from a compromised computer or to even grab additional malicious content from the malware's servers to pull in even more damaging malware.

However, Singh was quick to add that Office isn't the only way to infect computer systems, but "it's one of the most popular [targets] due to the usage of Office documents by almost everyone on the Internet."

To reign in the menace, Microsoft started tagging some documents from untrusted locations, like the internet, with the Mark of the Web (MOTW) attribute, a string of code that designates triggers security features.

In their research, Proofpoint claims the decrease in the use of macros is a direct response to Microsoft's decision to tag the MOTW attribute to files. 

Singh isn't surprised. He explained that compressed archives like ISO and RAR files don't rely on Office and can run malicious code on their own. "It's obvious that changing tactics are part of cybercriminals' strategy to ensure they put their effort on the best attack method that has the highest probability of [infecting people]."

Containing Malware

Embedding malware in compressed files like ISO and RAR files also helps evade detection techniques that focus on analyzing the structure or format of files, explained Singh. "For example, many detections for ISO and RAR files are based on file signatures, which can be easily removed by compressing an ISO or RAR file with another compression method."

Hands on a computer keyboard with a virus graphic overlaid on the screen.

sarayut / Getty Images

According to Proofpoint, just as the malicious macros before them, the most popular means of ferrying these malware-laden archives is through email.

Proofpoint's research is based on tracking activities of various notorious threat actors. It observed the use of the new initial access mechanisms being used by groups that distribute Bumblebee, and the Emotet malware, as well as by several other cybercriminals, for all kinds of malware.

"More than half of the 15 tracked threat actors that used ISO files [between October 2021 and June 2022] began using them in campaigns after January 2022," highlighted Proofpoint.

In order to shore up your defense against these changes in the tactics by the threat actors, Singh suggests people be wary of unsolicited emails. He also warns people against clicking links and opening attachments unless they're confident beyond doubt that these files are safe.

"Don't trust any sources unless you are expecting a message with an attachment," reiterated Singh. "Trust, but verify, for instance, call the contact before [opening an attachment] to see if it's really an important email from your friend or a malicious one from their compromised accounts."

Was this page helpful?