Friday 30 September 2022, 09:00 - 09:30 Red room
Hossein Jazi (Malwarebytes)
It was early February this year when Microsoft announced that Internet macros would be blocked by default to improve the security of Microsoft Office. Before this announcement, Office documents were the primary initial infection vector used by cybercrime actors as well as some nation-state groups.
Since the news broke, we have observed a number of threat actors that have started to test and adopt new methods. For example, the Emotet gang was primarily using Office documents to spread Emotet, but as of late April this year they started to adopt Windows shortcut files (.LNK).
This trend is followed by other actors as well and we have observed new methods for spreading their malware. For instance, Qbot started to use the HTTP smuggling technique to distribute .iso images. Additionally, some older methods of distributing malware such as archive files are again becoming popular these days.
Beside using new and old methods, we have noticed that efforts for finding new vulnerabilities in Microsoft Office products has increased. Case in point, the recent Follina exploit can drop payloads from Word documents without using macros at all.
In this presentation, we will talk about the different methods used by threat actors to switch from using macro-based documents. More specifically, we will walk through the initial infection vector techniques for each actor we observed.
We will also provide statistics that show how Office documents have become less popular over time and how other techniques are gaining momentum.
Hossein Jazi serves as a manager within the threat intelligence team at Malwarebytes. He is an active researcher whose research interests include APT tracking, malware analysis, cyber threat intelligence, and machine learning. Currently his focus is on hunting and tracking APTs and publishing blogs on their activities. He has been specializing in cyber security and APT analysis for over 12 years.