Comment Microsoft a plombé la principale technique d’infection des cybercriminels

Comment Microsoft a plombé la principale technique d'infection des cybercriminels

Could this be the twilight of one of the techniques most used by cybercriminals? According to cybersecurity firm Proofpoint, between October 2021 and June 2022, attackers reduced their use of VBA and XL4 macros by 66%. Behind these technical names hides a control system integrated into Microsoft Office software (Word, Excel, Powerpoint…), which allows users to automate certain tasks such as updating figures in a database or writing from reports.

Essential to the functioning of the human resources and marketing divisions of thousands of companies, macros have also been massively exploited since the 2010s by cybercriminals, to the point of becoming the most widely used mechanism for the initial infection of victims. . After years without directly addressing the issue, Microsoft has been working on it since October 2021, successfully. According to Proofpoint, this is “one of the biggest changes to the email threat environment in recent historyProblem: Criminals are already shifting their efforts to other infection techniques.

How cybercriminals hijack Microsoft Excel to install viruses

The trap of Office macros finally disarmed

In February 2022, Microsoft quietly announced that it would change the default macro settings in Office files received over the Internet. This long-awaited change has been well received by the entire cybersecurity community. Specifically, the editor modified a button, which allowed each user to manually activate the macros. If the file contained a malicious macro, a simple click on the “yes” box in the message that was displayed when opening the document, and the damage was done. Since the change, this interaction is no longer possible. From now on, the user will have to contact their computer network administrator to activate the macros, which drastically limits the risks of falling into the trap and triggering the deployment of malicious software.

If the largest groups of cybercriminals such as Emotet or Dridex have exploited this attack technique so much, it is because it had many advantages. First, it allowed them to bypass email services’ antivirus detection tools. And for good reason: the malicious Excel or Word file does not contain the virus strain itself. The macro is just a command, which will download and start the installation of the malware when activated. However, detecting the macro’s intentions requires a high level of analysis, which is difficult to automate, especially since cybercriminals have methods to obstruct the understanding of their macros.

Thus, this infection method requires little technical skills, which makes it possible to mobilize a large workforce of neophyte criminals. It only takes a few brains to create the macros and set up the infrastructure for infection, then anyone can launch the attacks. All you have to do is write a compelling email (impersonating a colleague or client, for example) that encourages the target to open the attachment and trigger the macros. The more personalized this email is to the victim, the more likely it will hit the mark.

Cybercriminals are adapting

Since Microsoft’s first announcements in October, cybercriminals began to adapt their methods. According to Proofpoint researchers, they have resorted to using “container files” such as ISO (.iso), RAR (.rar), or ZIP (.zip) files, capable of encompassing other files, to bypass the new macro block. In detail, these extensions prevent the Office suite software from applying the “Mark of the Web” (MOTW) tag to the file containing the malicious macro. However, it is this attribute that indicates that a file has been downloaded from the Internet, which will trigger the default blocking of macros.

Specifically, when the victim downloads a ZIP or ISO file, the latter will receive the MOTW marker. But if the victim unzips the .zip, the documents it contains will not have the label, since they will not be considered downloaded from the Internet. Therefore, cybercriminals can use this Trojan-like system to embed an Excel file with malicious macros, which the victim can trigger because the new protection will not be activated. The container can also transport files in .lnk, .dll or .exe format, which directly contain the virus.

However, this new method has some drawbacks. They require an additional click from the victim, giving them more time to realize that the file is suspicious. So, users will be more wary of a file with an unknown extension than they are of a Word or Excel file, since they open several a day. Suffice it to say that the change made by Microsoft has complicated the task of cybercriminals.