New Era of Phishing Payloads

Written by Ratan Gupta
Security Research Intern @ FourCore
Macro Depreciation

On July 21, 2022, Microsoft announced an update that would have massive implications for cybersecurity. Macros will be blocked by default in all Office documents downloaded from the internet. This blog provides a brief into macros and how they pose a threat to society before discussing Microsoft’s latest security measures against macros and how threat actors adapt to alternate Initial Access TTPs post macro deprecation.

What are Macros?

A macro is a small piece of code written in Visual Basic for Applicaitons(VBA) and is used to automate a specific task in Microsoft Office applications. These tasks are repetitive in nature, therefore Microsoft provides the functionality for users to record macros and embed them in Office documents. Additionally, all Office applications have the feature to enable or disable the use of macros.

Threats Posed by Macros

The macro-infected Office documents can be spread using email attachments, downloadable links, and shared via cloud services such as Office 365. The most common way to spread macros is using Phishing. Malicious macros contain malware that has the potential to harm a system in several ways. For instance, a malicious macro could use the VBA KILL command to delete files from a user’s hard drive.

Threat actors also adopt various techniques to lure users into enabling macros. Some of the techniques are mentioned below:

  • Display a dialogue box stating “Click to view contents”, which will trigger a macro
  • Display a dialogue box stating “Protected/encrypted document. Please enable content to view decrypted document”,
  • Display a dialogue box stating, “Protected by anti-virus. Please click on the following to view the document”,
  • Display a dialogue box stating, “This document was created in a newer version of Office. Enable macros to view”, and more.
Macro Enable Click

Microsoft's stance against Macros

On July 21, 2022, Microsoft announced an update that would have massive implications for cybersecurity. Macros will be blocked by default in all Office documents downloaded from the internet. The change will not affect users who have enabled or disabled the "Block macros from running in Office files for the Internet" policy.

This means that users cannot Enable Macro Content with a simple click. Instead, this will be the default behaviour. Factors like the source of the file, i.e. "Trusted Location" and "Trusted Document", and the sender's digital signature play an essential role in determining whether the macros in the downloaded document will be allowed to run.

With the new roll-out already in motion, threat actors now have no choice but to get creative and come up with different Initial Access (TA0001) techniques.

Since Microsoft first announced its intentions to disable macros by default, Proofpoint researchers had found a decline of 66% in the use of macro-enabled attachments by threat actors. Moreover, CSOOnline states that Initial Access attacks by TTPs (excluding Office macros) have increased by 1,600% over the last ten months.

 The evaluation flow of downloaded Office documents with VBA macros and MOTW
The evaluation flow of downloaded Office documents with VBA macros and MOTW

Mark of the Web (MOTW): Microsoft's Prime Defence against Macros

Understanding Mark-of-the-Web is essential to understanding Microsoft's protection mechanism to fend against macro-infected Office documents. MOTW is an attribute assigned to any file downloaded from the Internet and is only compatible with an NTFS file system. The MOTW is not yet compatible with any other file system.

Any file downloaded from the Internet possesses an Alternate Data Stream(ADS), which contains information about the file. One such attribute of the ADS is the Zone Identifier. Modern browsers automatically add the zone information when downloading the file to an NTFS system—the Zone.Identifier indicates the source or the zone of the file. The zones are as follows: the Internet, the restricted zone, the local machine, the intranet, and the trusted zone. Each zone facilitates different behaviour concerning the file and how the system accesses it.

The value of Zone.Identifier is Mark-of-the-Web. It is a comment added to an HTML file which specifies the URL of the HTML webpage. When the file is downloaded, this information is stored in a specific format as the Zone.Identifier.

Changing Attack Patterns Post Macro Deprecation

As Microsoft plans to ban macros using Mark-of-the-Web, it makes sense for threat attackers to use alternate TTPs to bypass MOTW. This has brought about a massive shift in the email threat landscape as we know it.

Predominantly, threat actors distributed macro-infected Office documents and phishing emails and attempted to lure users into enabling macros on the downloaded files. With the protection now offered by Mark-of-the-Web, threat actors are attempting to bypass MOTW using container file formats such as ISO(.iso), RAR(.rar), and ZIP(.zip). In addition, file formats such as Windows shortcuts (LNKs), DLLs, and executables (EXEs) are used.

As discussed before, Mark-of-the-Web is an NTFS feature and files that are tagged with the MOTW have certain restrictions and security measures put in place for them. Based on the MOTW value, the system knows if it can trust the files or not. However, some container files do not support the NTFS-ADS feature. Therefore, the container files will be tagged with MOTW when downloaded, but the files extracted from these container files will not be tagged and then executed without protection and treated like a local file.

These files may be macro-infected Office documents or LNKs/DLLs/EXEs distributed to deliver malware to the user’s system.

  • If macro-infected Office documents are delivered, the user will still have to enable macros by clicking “Enable Content”, but there would be no protection against it as the system will think of the documents as local files.
  • If LNKs/DLLs/EXEs are delivered, they can install malicious payloads into the system.

According to McAfee and The Hacker News, threat actors are using ISOs and LNKs to deliver numerous malwares, the most important being Emotet, Bumblebee, Qakbot, IcedID, and Bazarloaders, etc.

Emotet: A Case Study

Emotet operators are among the leading and most noteworthy initial access brokers today. However, since its introduction to the world in 2014, Emotet has come a long way from just a banking Trojan to a catastrophic malware.

Researchers at Kroll have spent much time analyzing Emotet's delivery method and operation procedure. For this blog's scope, we will provide a summary of its operation and how Emotet shifted its delivery method from macro-infected Office documents to .LNK files.

Lately, the Emotet malware is now distributed using emails with ZIP archive files that are password protected and contain .LNK files. The .LNK files are Windows shortcut files that, when executed, run malicious VBScripts or Powershell executables embedded into the .LNK files. This delivery method ensures the malware will bypass set security controls like Windows's Mark of the Web feature.

Emotet's Chain of Attack
Emotet's Chain of Attack

The attack chain starts with the delivery of the .ZIP archive file as an email attachment. The ZIP (tagged by the system with the MOTW attribute) contains a Windows shortcut .LNK file (MOTW attribute will not propagate to this file).

The .LNK will call the Command Line (cmd.exe) to use the findstr Windows utility. The findstr will receive a string, a form of metadata left by creating the .LNK file. The execution of the .LNK will save this string in the temp folder and run it from there, while the rest of the .LNK content will be saved in the temp folder as a visual basic script .VBS file.

The .VBS file is then used to download a 64-bit DLL file using the wscript Windows utility. This DLL contains within it an embedded Emotet loader. The loader allocates an area of memory where a specific resource of the DLL is loaded and decrypted.

This decrypted data is the final Emotet payload which is also a 64-bit DLL, the execution of this final payload is carried out by allocating a second memory region where the previously decrypted resource contents are copied. These resource contents make up distinct sections in the allocated memory region. These sections are then mapped into a third memory area and executed by the regsvr32 Windows utility.

Conclusion

The shift in malware delivery methods by threat actors didn’t take much time post Microsoft’s announcement on the ban of Office macros. The use of alternate Initial Access TTPs is already on the rise and will increase exponentially with time, as is already being observed by the increase in the use of container file formats such as ISOs/RARs/ZIPs, and LNKs/DLLs/EXEs. Security researchers and defence teams must prepare for the massive shift in the email threat landscape.

References