Microsoft's secure VBA macro rules already being bypassed by hackers

The cyber criminal group operating the resurgent Emotet botnet have been observed trialling new attack techniques after Microsoft’s new rules on macro-enabled documents come into force.

Attributed to Threat Actor 542 (TA542), Proofpoint researchers said Emotet has been observed taking a ‘spring break’ with low levels of activity coinciding with observed changes in attack methodology.

Emotet has typically exploited weak rules on macro-enabled Microsoft Office documents to deliver the malware payload to victims, but now Microsoft has made the default handling of macro-enabled documents more secure, its attack vectors are seemingly about to change.

In a report published today, Proofpoint said it observed Emotet moving away from malicious Office documents and instead is now opting to include OneDrive URLs in spam email campaigns that lead to the download of a zip archive containing XLL files that drop Emotet malware.

The malicious emails are typically designed to lure victims with one-word subject lines such as ‘Salary’ with the zip archive files adopting similar file names as the original lure: ‘Salary_new.zip’ was one example which contained XLL file names such as ‘Salary_and_bonuses-04.01.2022.xll’.

The XLL files will drop and run Emotet which uses the Epoch 4 botnet, Proofpoint said. It’s a new attack method, the timing of which - coinciding with Microsoft’s more secure handling of VBA macros - is not a coincidence.

Asked whether the trial of new attack tactics, techniques, and procedures (TTPs) was linked to the new rules on macro-enabled Office documents, Sherrod DeGrippo, vice president of threat research and detection at Proofpoint, said it “absolutely” was.

“This is something threat actors who are agile and experienced like TA542 will likely continue to do as time goes on,” she said to IT Pro. “The Microsoft choice to make changes to default handling of macro documents has implications on the threat landscape and this could be a part of threat actors making decisions to leverage new attack chains that aren’t impacted by that decision.

“Malicious macro documents are a large part of the threat landscape, but they’re not the only option. We regularly observe actors using container files like .iso’s, for example. Threat actor groups will continue to experiment, and early signs point towards XLL files being one direction the landscape may shift toward.”

Microsoft announced changes to the default handling of VBA macros in February, the rules of which came into force this month. It also said it would disable XL4 macros last year, both moves were made to stymie cyber attacks using this method of payload delivery.

IT Pro asked Proofpoint for data on the number of successful Emotet attacks it has observed, and the number of Emotet attacks taking place since its 2021 resurgence, but it was unable to share the data.

Other cyber security outfits, such as Black Lotus Labs, have published their findings after tracking Emotet’s new version, saying that in March 2022, unique Emotet detections were in the tens of thousands per day. Check Point also said it was the most prevalent malware strain it tracked in March 2022.

“After months of consistent activity, Emotet is switching things up,” said DeGrippo. “It is likely the threat actor is testing new behaviours on a small scale before delivering them to victims more broadly, or to distribute via new TTPs alongside its existing high-volume campaigns.

“Organisations should be aware of the new techniques and ensure they are implementing defences accordingly.”