Cybercriminals are moving away from Microsoft Excel as a method to hide malware on the computers of potential victims.
Security vendor Hornetsecurity said its researchers noted a significant drop during July in the volume of malware-laden emails that relied on malicious Excel documents. The company’s monthly email threat report noted that from June to the end of July, Excel attacks dropped by nearly 10 percentage points.
This, the Hornetsecurity team believes, is largely due to a key decision by Microsoft to disable the execution of macro code that has long been abused by malware operators to hijack machines when a document file is opened.
“The drop in Excel documents used in attacks from 14.4% to 5.1% can be attributed to attackers changing tactics due to Microsoft’s measures to disable Excel 4.0 macros by default,” Hornetsecurity said in its report.
“Notable malicious macros distributed via Excel 4.0 malicious macros were QakBot and Emotet. QakBot went through a complex infection chain using HTML smuggling and DLL sideloading, which we highlight later in this report.”
With Excel macros turned off by default, researchers found that many of the biggest malware groups had to find other ways to infect machines with more complicated methods. The aforementioned Qakbot was an extreme example.
The Hornetsecurity team discovered that Qakbot hackers chose to build a scheme where an attached HTML document is presented as an Adobe PDF document and prompts the victim to download a ZIP file under the guise of reader software. This payload then launches and automatically installs the DLL files used for the sideloading attack and the final installation of the Qakbot malware itself.
While it’s not unusual for malware operators to change their techniques and tactics for phishing attacks, the researchers noted that Qakbot’s pivot was particularly drastic as a response to Microsoft’s new security policy.
“The code smuggling approach is effective at avoiding detection and allows Qakbot to infect a large number of victims. However, this approach requires Qakbot to keep updating its evasion techniques to stay ahead of detection,” the editorial told TechTarget , Hornetsecurity CEO Daniel Hofmann. “We can see slight changes in the delivery method, eg, the code can be smuggled using file types other than HTML.”
While the new security measures had a short-term impact on Excel attack volumes, Hofmann said the spreadsheet app is likely to remain a popular method of spreading malware through phishing and social engineering attacks for the foreseeable future.
“While the number of Excel documents attached to a phishing email decreased, Hornetsecurity still notes that the risk of Excel documents is significant,” Hofmann said. “Attackers change their strategy in how they deliver malicious Excel documents.”
