When Microsoft restricted all Excel 4.0 macros by default in early 2022 to prevent threat actors from abusing the feature to distribute malware, many security experts thought threat actors would simply move to a different attack vertical.
However, Netskope security researchers found weapons excel Files are still very popular as users are still using old and unprotected versions of the software and as such are still susceptible to this type of attack.
On a blog post (opens in new tab)Gustavo Palazolo, a threat research engineer on the Netskope team, described how the company recently found “hundreds” of malicious Office documents being used to download and run Emotet.
Single threat actor
Emotet is a trojan capable of stealing information and dropping additional malicious payloads on the target full stop.
After doing a search for similar files on VirusTotal, the team discovered 776 malicious spreadsheets, sent in just a week and a half during the month of June. Most files share the same URLs and some metadata, leading researchers to conclude that it is likely the work of a single threat actor.
In total, the team extracted 18 URLs, four of which were still online and delivering the malicious payload at the time.
The files are being distributed in the traditional way – via email. The victim would receive an email claiming to be a payment form for a service, some medical bills or paperwork, or anything that could lead people to download and open the attachment, if nothing, out of curiosity.
Some files were zipped and password protected, likely bypassing antivirus or email protection services.
Users running the file will see it empty, except for a message saying that the contents of the file are “protected” until they enable editing, which also effectively enables macros.
To better defend against this type of phishing, companies are encouraged to educate their employees on how to spot phishing, keep their hardware and software up to date, and run proper antivirus solutions, firewallsand multi-factor authentication services.
- Emotet is less of a threat if you have one of the best antivirus solutions running