"After Microsoft Macro Malware Crackdown, Attackers Explore New Options"

After Microsoft began rolling out a plan to block macros obtained from the Internet by default, threat actors are now using new malware delivery methods for spear-phishing attacks that rely less on malicious macros. IBM Security's X-Force Threat Intelligence team has observed attackers increasingly using other types of downloaders or droppers that do not rely on macros, including XLL files, ISO images, Microsoft shortcut files, and MSI files. According to the team, these files have been used to distribute Emotet, Qakbot, and other payloads. Some cases suggest that attackers could be trying out new file types to get a better understanding of how well they work compared with other approaches that rely on macros. For example, researchers observed attackers using XLL files in a recent low-volume Emotet campaign. An XLL file is a type of Dynamic Link Library (DLL) file designed to increase Excel functionality. The campaign showed changes from typical behaviors of the malware, which previously used Microsoft Excel or Word documents containing VBA or XL4 macros. An analysis conducted by Proofpoint researchers suspected that the threat actor behind Emotet, TA542, was experimenting with these new tactics on a small scale before using them on a larger scale. The Proofpoint researchers have also seen various threat actors using XLL files to stage their payloads, including those delivering other high-profile botnets or banking Trojan variants. However, Sherrod DeGrippo, vice president of threat research and detection with Proofpoint, emphasizes that macros are still being widely used among attackers as more than 1.5 million messages involving malicious macros have been observed within the last 30 days. This article continues to discuss observations regarding attackers increasingly exploring alternative techniques that decrease their reliance on malicious macros. 

Decipher reports "After Microsoft Macro Malware Crackdown, Attackers Explore New Options"