MS macro-blocking has forced cyber criminals to innovate | Computer Weekly

Proofpoint said that by the simple method of adding more friction, threat actors across the spectrum – from small-time players to experienced cyber criminal ransomware gangs – have had to make major changes to how they conduct “business”. “Financially motivated threat actors that gain initial access via email are no longer using static, predictable attack chains, but rather dynamic, rapidly changing techniques,” wrote Larson and Wise in a newly published whitepaper. “Based on Proofpoint’s … telemetry analysing billions of messages per day, [we] have observed widespread threat actor experimentation in malware payload delivery, using old file types, unexpected attack chains, and a variety of techniques that result in malware infections, including ransomware.” According to Larson and Wise, threat actors are still testing various behaviours to try to find the most effective method of using email to gain initial access, and no reliable, consistent alternative to macros has yet emerged. One of the largest cyber crime actors to start using PDF files is TA570, an active affiliate of the Qbot aka Qakbot trojan malware that has been linked to the ProLock and Egregor ransomwares. Larson and Wise believe this trend will continue for the foreseeable future, and assessed it is unlikely a single attack chain or series of techniques will emerge that remains consistent – or has the same staying power as macro exploitation once did.