Malware distribution methods have changed significantly in the cyber threat landscape. Data analysis shows that Microsoft Office document files are no longer the preferred medium for delivering malware.
Cybercriminals are using more complex and elusive methods, such as alternative file formats and evasive techniques, reads the ASEC report.
Implementing AI-Powered Email security solutions “Trustifi” can secure your business from today’s most dangerous email threats, such as Email Tracking, Blocking, Modifying, Phishing, Account Take Over, Business Email Compromise, Malware & Ransomware
The New Trend
MS Office document files have been used for a long time to spread malware, from simple information stealers to sophisticated APT attacks.
However, there is a clear change in how malware is delivered, affecting the role of MS Office products in this scenario.
In the past, attackers used macros in Word and Excel documents to download more malware from malicious URLs.
However, this method has changed to using compressed executables in formats like ZIP, R00, GZ, and RAR or disk image files like IMG as email attachments.
This means that fewer Word and Excel files contain malware through hidden Office VBA macro code or Excel 4.0 (XLM) macros.
1-1. CHM (Windows Help Files)
There was a big increase in the use of Windows Help files (*.chm) to distribute malware in the second quarter of 2022.
This happened at the same time as the decrease in the use of Word and Excel files for malware distribution.
This shows that attackers are using different file formats that are not part of the MS Office suite to target users.
These CHM files often have catchy names, such as ‘COVID-19 Positive Test Results Notice,’ to attract users’ attention.
1-2. LNK (Shortcut Files)
In the second quarter of 2022, the notorious Emotet malware also changed its distribution method from MS Office products to LNK files.
Emotet had previously used VBA macro codes and Excel 4.0 (XLM) macros to spread malware, so this change is important for anti-malware solutions.
The background of these attacks suggests that the same attacker switched from MS Office to LNK files, following a similar pattern as the malicious CHM distribution process.
The change from using Word and Excel files to deliver malware has two benefits for cybercriminals.
It makes it harder to detect malware in document editing programs by static analysis, and it also makes it harder to identify the malware itself.
Attackers are using normal Windows processes and running malware without creating any files when they load malicious data, which makes it more difficult for security measures.
MS Office files are less used for distributing malware due to Microsoft’s announcement in early to mid-2021 about disabling Excel macros by default.
As a result, attackers have looked for new ways to avoid detection by anti-malware products.
Protect yourself from vulnerabilities using Patch Manager Plus to patch over 850 third-party applications quickly. Take advantage of the free trial to ensure 100% security.