With Microsoft taking steps to block Excel 4.0 (XLM or XL4) and Visual Basic for Applications (VBA) macros by default across Office apps, malicious actors are responding by refining their tactics, techniques, and procedures (TTPs).

随着 Microsoft 采取措施默认跨 Office 应用程序阻止 Excel 4.0（XLM 或 XL4）和 Visual Basic for Applications (VBA) 宏，恶意行为者正在通过改进他们的策略、技术和程序 (TTP) 来做出响应。

"The use of VBA and XL4 Macros decreased approximately 66% from October 2021 through June 2022," Proofpoint said in a report shared with The Hacker News, calling it "one of the largest email threat landscape shifts in recent history."

“从 2021 年 10 月到 2022 年 6 月，VBA 和 XL4 宏的使用减少了大约 66%，”Proofpoint在与黑客新闻分享的一份报告中说，称其为“近期历史上最大的电子邮件威胁格局转变之一”。

In its place, adversaries are increasingly pivoting away from macro-enabled documents to other alternatives, including container files such as ISO and RAR as well as Windows Shortcut (LNK) files in campaigns to distribute malware.

取而代之的是，攻击者越来越多地从启用宏的文档转向其他替代方案，包括 ISO 和 RAR 等容器文件以及用于分发恶意软件的活动中的 Windows 快捷方式 (LNK) 文件。

"Threat actors pivoting away from directly distributing macro-based attachments in email represents a significant shift in the threat landscape," Sherrod DeGrippo, vice president of threat research and detection at Proofpoint, said in a statement.

Proofpoint 威胁研究和检测副总裁 Sherrod DeGrippo 在一份声明中说：“威胁行为者不再直接在电子邮件中分发基于宏观的附件，这代表了威胁格局的重大转变。”

"Threat actors are now adopting new tactics to deliver malware, and the increased use of files such as ISO, LNK, and RAR is expected to continue."

“攻击者现在正在采用新的策略来传播恶意软件，预计 ISO、LNK 和 RAR 等文件的使用将继续增加。”

VBA macros embedded in Office documents sent via phishing emails have proven to be an effective technique in that it allows threat actors to automatically run malicious content after tricking a recipient into enabling macros via social engineering tactics.

通过网络钓鱼电子邮件发送的 Office 文档中嵌入的 VBA 宏已被证明是一种有效的技术，因为它允许攻击者在通过社会工程策略诱骗收件人启用宏后自动运行恶意内容。

However, Microsoft's plans to block macros in files downloaded from the internet have led to email-based malware campaigns experimenting with other ways to bypass Mark of the Web (MOTW) protections and infect victims.

然而，微软计划阻止从互联网下载的文件中的宏，导致基于电子邮件的恶意软件活动尝试使用其他方法绕过 Web 标记 ( MOTW ) 保护并感染受害者。

This involves the use of ISO, RAR and LNK file attachments, which have surged nearly 175% during the same period. At least 10 threat actors are said to have begun using LNK files since February 2022.

这涉及到使用 ISO、RAR 和 LNK 文件附件，这些附件在同一时期激增了近 175%。据说自 2022 年 2 月以来，至少有 10 名攻击者开始使用 LNK 文件。

"The number of campaigns containing LNK files increased 1,675% since October 2021," the enterprise security company noted, adding the number of attacks using HTML attachments more than doubled from October 2021 to June 2022.

“自 2021 年 10 月以来，包含 LNK 文件的活动数量增加了 1,675%，”这家企业安全公司指出，从 2021 年 10 月到 2022 年 6 月，使用 HTML 附件的攻击数量增加了一倍以上。

Some of the notable malware families distributed through these new methods consist of Emotet, IcedID, Qakbot, and Bumblebee.

通过这些新方法分发的一些著名恶意软件系列包括 Emotet、IcedID、Qakbot 和 Bumblebee。

"Generally speaking, these other file types are directly attached to an email in the same way we would previously observe a macro-laden document," DeGrippo told The Hacker News in an emailed response.

“一般来说，这些其他文件类型直接附加到电子邮件中，就像我们之前观察包含宏的文档一样，”DeGrippo 在电子邮件回复中告诉黑客新闻。

"There are also cases where the attack chains are more convoluted, for example, with some recent Qbot campaigns where a .ZIP containing an ISO is embedded within an HTML file directly attached to a message."

“在某些情况下，攻击链更加复杂，例如，在最近的一些 Qbot 活动中，包含 ISO 的 .ZIP 嵌入在直接附加到消息的 HTML 文件中。”

"As for getting intended victims to open and click, the methods are the same: a wide array of social engineering tactics to get people to open and click. The preventive measures we use for phishing still apply here."

“至于让目标受害者打开和点击，方法是一样的：各种社会工程策略让人们打开和点击。我们用于网络钓鱼的预防措施在这里仍然适用。”

江海所以能为百谷王者，以其善下之，故能为百谷王。

——《道德经.第六十六章》

本文翻译自：

https://thehackernews.com/2022/07/hackers-opting-new-attack-methods-after.html

如若转载，请注明原文地址

翻译水平有限 :(

有歧义的地方，请以原文为准 ：）