IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Microsoft's secure VBA macro rules already being bypassed by hackers

Recent analysis of Emotet activity has revealed a shift away from malicious Office documents to drop malware

The cyber criminal group operating the resurgent Emotet botnet have been observed trialling new attack techniques after Microsoft’s new rules on macro-enabled documents come into force.

Attributed to Threat Actor 542 (TA542), Proofpoint researchers said Emotet has been observed taking a ‘spring break’ with low levels of activity coinciding with observed changes in attack methodology.

Emotet has typically exploited weak rules on macro-enabled Microsoft Office documents to deliver the malware payload to victims, but now Microsoft has made the default handling of macro-enabled documents more secure, its attack vectors are seemingly about to change. 

In a report published today, Proofpoint said it observed Emotet moving away from malicious Office documents and instead is now opting to include OneDrive URLs in spam email campaigns that lead to the download of a zip archive containing XLL files that drop Emotet malware.

The malicious emails are typically designed to lure victims with one-word subject lines such as ‘Salary’ with the zip archive files adopting similar file names as the original lure: ‘Salary_new.zip’ was one example which contained XLL file names such as ‘Salary_and_bonuses-04.01.2022.xll’.

The XLL files will drop and run Emotet which uses the Epoch 4 botnet, Proofpoint said. It’s a new attack method, the timing of which - coinciding with Microsoft’s more secure handling of VBA macros - is not a coincidence.

Asked whether the trial of new attack tactics, techniques, and procedures (TTPs) was linked to the new rules on macro-enabled Office documents, Sherrod DeGrippo, vice president of threat research and detection at Proofpoint, said it “absolutely” was.

“This is something threat actors who are agile and experienced like TA542 will likely continue to do as time goes on,” she said to IT Pro. “The Microsoft choice to make changes to default handling of macro documents has implications on the threat landscape and this could be a part of threat actors making decisions to leverage new attack chains that aren’t impacted by that decision.

“Malicious macro documents are a large part of the threat landscape, but they’re not the only option. We regularly observe actors using container files like .iso’s, for example. Threat actor groups will continue to experiment, and early signs point towards XLL files being one direction the landscape may shift toward.”

Microsoft announced changes to the default handling of VBA macros in February, the rules of which came into force this month. It also said it would disable XL4 macros last year, both moves were made to stymie cyber attacks using this method of payload delivery.

Related Resource

Security awareness training strategies for account takeover protection

Why you need an inside-the-perimeter strategy for internal threats

Security awareness training strategies for account takeover protection - whitepaper from MimecastFree download

IT Pro asked Proofpoint for data on the number of successful Emotet attacks it has observed, and the number of Emotet attacks taking place since its 2021 resurgence, but it was unable to share the data.

Other cyber security outfits, such as Black Lotus Labs, have published their findings after tracking Emotet’s new version, saying that in March 2022, unique Emotet detections were in the tens of thousands per day. Check Point also said it was the most prevalent malware strain it tracked in March 2022.

“After months of consistent activity, Emotet is switching things up,” said DeGrippo. “It is likely the threat actor is testing new behaviours on a small scale before delivering them to victims more broadly, or to distribute via new TTPs alongside its existing high-volume campaigns.

“Organisations should be aware of the new techniques and ensure they are implementing defences accordingly.”

Featured Resources

Activation playbook: Deliver data that powers impactful, game-changing campaigns

Bringing together data and technology to drive better business outcomes

Free Download

In unpredictable times, a data strategy is key

Data processes are crucial to guide decisions and drive business growth

Free Download

Achieving resiliency with Everything-as-a-Service (XAAS)

Transforming the enterprise IT landscape

Free Download

What is contextual analytics?

Creating more customer value in HR software applications

Free Download

Recommended

Senate report slams agencies for poor cyber security
cyber security

Senate report slams agencies for poor cyber security

3 Aug 2021
Most employees put their workplace at risk by taking cyber security shortcuts
cyber security

Most employees put their workplace at risk by taking cyber security shortcuts

27 Jul 2021
61% of organizations say improving security a top priority for 2021
cyber security

61% of organizations say improving security a top priority for 2021

29 Jun 2021
ProtectedBy.AI’s CodeLock blocks malware at source code level
software as a service (SaaS)

ProtectedBy.AI’s CodeLock blocks malware at source code level

9 Jun 2021

Most Popular

Open source packages with millions of installs hacked to harvest AWS credentials
hacking

Open source packages with millions of installs hacked to harvest AWS credentials

24 May 2022
Europe's first autonomous petrol station opens in Lisbon
automation

Europe's first autonomous petrol station opens in Lisbon

23 May 2022
Nvidia pauses hiring to help cope with inflation
Careers & training

Nvidia pauses hiring to help cope with inflation

23 May 2022