Where Has the MS Office Document Malware Gone?

by Prapattimynk, Wednesday, 18 October 2023 (7 months ago)
Where Has the MS Office Document Malware Gone?

Infostealers, which steal user account credentials saved in web browsers or email clients, constitute the majority of attacks targeting general or corporate users. Related information was shared through the ASEC Blog in December of last year. [1]

While the distribution method for the named malware differs slightly depending on their main features, Infostealer-type malware typically uses malicious sites disguised as pages for downloading legitimate programs as their distribution route. They are also actively distributed through spam email attachments or MS Office documents such as Word/Excel.

This blog will cover the significant decrease in the existing distribution of malicious files through MS Office documents and analyze the changing trend of malware distribution methods observed during this process. The numerical data that generated the statistics is based on the ratio of malware in MS Office documents to all Non-PE malicious files collected within AhnLab’s internal infrastructure from January 2022 to the present, spanning approximately 1 year and 10 months.

1. Changing Trend

MS Office document files, which have been actively used as download mediums in the past, were not only downloading Infostealer-type malware during the document program execution process but were also frequently used to download APT malware. To summarize the general changing trend that led to MS Office products no longer being used as distribution mediums, the following can be noted.

First, there has been a shift in the way malware is delivered. Previously, it involved downloading additional executable-type (PE) malware through external malicious URLs embedded in the macro code of Word/Excel documents. However, it has now evolved into a method where the executable itself is compressed in formats like ZIP, R00, GZ, and RAR or an IMG disk file format is used and attached to emails. This indicates a decrease in the number of Word/Excel file types that are distributed as download mediums using obfuscated Office VBA macro code or Excel 4.0 (XLM) macros.

Furthermore, APT attacks using social engineering techniques based on societal issues or user-interest-related email subjects, content, or attachment names have been observed continuously. However, the distribution method primarily utilized in these attacks has shifted from using macros in Word/Excel document files to employing Windows help files (CHM) or shortcut files (LNK).

1-1. CHM

For Windows Help files (*.chm), there has been a significant increase in distribution from the first to the second quarter of 2022. [2] The above Figure 1, which is based on the number of samples collected through AhnLab Smart Defense (ASD), shows that during the same period, the distribution of malware using the flagship products of MS Office, Word and Excel, has decreased by about 40%.

During the initial distribution of malicious CHM files, it was also observed that the malicious files (e.g. [3] & [4], ‘chmext.exe’) targeted for decompiling within the script were identical to the files distributed through Word documents around the same time. This suggests that the threat actor who was distributing malware through Word files attempted attacks using file formats other than the MS Office product line. The names of the CHM files that were distributed at that time were intentionally designed to pique the interest of users, such as ‘COVID-19 Positive Test Results Notice’ and ‘Document Editing and Messenger Program Usage Instructions’.

1-2. LNK

The Emotet malware’s shift to distributing through LNK files from their usual distribution method through MS Office products was first observed during the second quarter of 2022. [5] Since Emotet was actively distributed through VBA macro codes and Excel 4.0 (XLM) macros in the past, this change in distribution medium is significant from the perspective of anti-malware product responses.

Additionally, the attack method that had previously distributed malware through Word files was also identified in the distribution of malicious LNK files.[6] AhnLab assessed the background of these attacks by considering various information, such as the behavior of the analyzed malware and the threat actor’s C2 URL format. Based on this, it appears that the same threat actor is attempting to change the initial execution medium from the MS Office product line to the LNK file format, as was confirmed in the malicious CHM distribution process.

2. Summary

The shift away from typical attacks involving Word or Excel files to the distribution of malware through alternative file formats serves a dual purpose. It not only evades the detection of static information in document editing programs used as execution mediums but also complicates the identification of the malware itself. This is accomplished by leveraging regular Windows processes or executing the malware in a fileless format during the loading of malicious data.

The significant reduction in the use of files from the MS Office product line as a medium for distributing malware can be attributed to Microsoft’s announcement in early to mid-2021 regarding the default deactivation of Excel macros. This change has led to various attempts by attackers to evade detection by anti-malware products. [7][8]

It is expected that the mediums used to distribute malware will continue to change over time. APT attacks targeting not only individual users but also government organizations, major corporations, and social infrastructure are becoming increasingly advanced and sophisticated. Therefore, users need to exercise extra caution in the face of these evolving threats.

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.


Your email address will not be published. Required fields are marked *

Ads Blocker Image Powered by Code Help Pro

AdBlocker Detected!!!

We have detected that you are using extensions to block ads. Please support us by disabling these ads blocker.