When Microsoft restricted all Excel 4.0 macros by default earlier in 2022 to prevent threat actors from abusing the feature to distribute malware, many security experts thought threat actors would just move to a different attack vertical.
However, security researchers from Netskope have found weaponized Excel files are still very popular as users are still using old and unprotected versions of the software and are, as such, still susceptible to this type of attack.
In a blog post (opens in new tab), Netskope Staff Threat Research Engineer Gustavo Palazolo outlined how the company recently came across “hundreds” of malicious Office documents being used to download and execute Emotet.
Single threat actor
Emotet is a trojan capable of stealing information and dropping additional malicious payloads onto the target endpoint.
After doing a search for similar files on VirusTotal, the team discovered 776 malicious spreadsheets, submitted in just a week and a half, during June. Most of the files share the same URLs and some metadata, drawing the researchers to conclude that it’s probably the work of a single threat actor.
In total, the team extracted 18 URLs, four of which were still online and delivering the malicious payload at the time.
The files are being distributed the traditional way – via email. The victim would receive an email claiming to be a payment form for a service, some medical bills or paperwork, or anything that might prompt people into downloading and opening the attachment if nothing then out of curiosity.
Some files were even compressed and password-protected, likely to evade antivirus or email protection services.
Users running the file would see it empty, except for a message saying the contents of the file are “protected” until they enable editing which effectively enables macros, as well.
To best defend from this type of phishing, businesses are encouraged to educate their employees on how to spot phishing, keep their hardware and software updated, and run proper antivirus solutions, firewalls, and multi-factor authentication services.
- Emotet is less of a threat if you have one of the best antivirus solutions running