Microsoft blocked malicious macros, but hackers have found another way

Magnifying glass enlarging the word 'malware' in computer machine code
(Image credit: Shutterstock)

Now that macros in downloaded Microsoft Office files are officially dead, it was only a matter of time before hackers came up with a new scheme.

According to cybersecurity experts Proofpoint, they’ve found not one, not two, but three new methods to get victims to download malware.

The company’s latest report says that instead of macro-laden Office files, which are now on a significant decline, crooks are going for container files, shortcuts, and HTML files. 

Shortcuts spiking

From October 2021 until today, the number of macro-powered Office files used to distribute malware drooped by a whopping two-thirds (66%). On the other hand, the use of container files (ISO files, ZIP, RAR files, and similar) rose by approximately 175%. Container files are a great way to avoid antivirus solutions, and if they also come with a password, their perceived legitimacy grows that much bigger.

As for shortcut files (.LNK), their use exploded in February 2022, rising by 1,675% since October the year before. Proofpoint says that ten separate threat actors are now favoring shortcut files to distribute malware, and that includes some of the heavy-hitters like Emotet, Qbot, or IcedID.

The icons of the shortcut files can be changed to virtually anything, helping crooks masquerade these files as PDFs, or Word documents. 

They’re also quite potent, as they can execute almost any command for which the victim has permission, including the execution of PowerShell scripts which, in this particular case, the crooks use to get people to download malware from the internet.

Proofpoint is also saying there’s been a noticeable rise in the use of HTML attachments, as these types of files can also be used to drop malware on target endpoints, while avoiding email security systems. Still, HTML attachments have relatively low volume, especially compared to container files and shortcuts. Whether or not that changes in the future, remains to be seen.

Via: BleepingComputer

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.