In 2022 we saw major malware campaigns leverage vintage tradecraft in new ways, experimenting with delivery vehicles and file types in an attempt to evade detection. Weaponized Microsoft documents and malicious macros waned in favor of evil binaries hidden within nested layers of container files and compressed archives. Adversaries manipulated search engine ads and results to lure users into downloading malicious installers. USBs, a well-known threat vector for decades, saw a resurgence in use by new malware families and established adversaries.
Phishing trend: Macros are out, compressed files and containers are in
Macros traded in for newer delivery vehicles
In February 2022, Microsoft announced that they would start blocking VBA macros by default across their entire product suite. Key to implementing this change is the Zone Identifier Alternate Data Stream (ADS) value assigned to downloaded files and attachments, with the specific value based on whether or not the file came from a trusted location. The internet is not considered a trusted source, meaning files with the
Zone.Identifier ADS value of
3—commonly known as the Mark-of-the-Web (MOTW)—can be subject to more stringent security measures.
Not all file types are automatically assigned the MOTW. It depends on several factors, including the software used to download the file, the file format, and other utilities with features that may or may not be enabled. Compressed archives (ZIP, RAR) and container files (ISO, VHD) are types of files that may not have the MOTW, meaning they won’t be restricted, blocked, or generate warning prompts in the same way as files that do contain the mark.
Following Microsoft’s announcement, adversaries across all verticals changed their techniques. They rapidly shifted away from malicious macros in their phishing emails and began leveraging container files and compressed files to deliver their malware, often nesting these file types within each other in an attempt to further bypass security controls. In June 2022, 7-Zip released an update that added an opt-in feature that could add the MOTW to ZIP files. In November 2022, Microsoft released a security update that propagated MOTW identifiers to some ZIP and ISO files. These updates may reduce the misuse of ZIP and ISO files in 2023.
Throughout the year, we observed compressed archives, especially RAR or ZIP files, used as a malicious nested attachment’s outer layer. They do not have a Zone Identifier ADS attribute, so they can not have a MOTW. Again, 7-Zip’s June update may complicate an adversary’s ability to abuse ZIP files but only if users opt in. Multiple threats used compressed archives in their attachments in 2022, including Bumblebee, IcedID, and Qbot.
Optical Disk Image (ISO) files and Virtual Hard Drive (VHD) files are two types of container files we’ve seen delivered inside compressed archives in an attempt to evade MOTW restrictions. Container files like ISOs do not support a Zone Identifier ADS attribute and did not have a MOTW until Microsoft’s November 2022 patch propagated MOTW flags to both the ISO and its contents. Proofpoint reported a 150 percent increase in the use of ISO files in malicious campaigns between October 2021 and June 2022. IcedID is one example of a threat that used ISOs, and Bumblebee leveraged both ISOs and VHDs in 2022.
Web trends: SEO poisoning and malvertising
Search engine optimization poisoning
Search engine optimization (SEO) poisoning continued to be an effective technique for gaining initial access in 2022. Many threats leveraged SEO poisoning, including Gootloader, Yellow Cockatoo, and various stealers. Adversaries create malicious websites that use SEO techniques like placing strategic search keywords in the body or title of a webpage. They attempt to make their malicious sites more prominent than legitimate sites when search results are returned by Google and other search engines. As an example, Zloader—also known as BATLOADER—has used keywords like “free software development tools” to encourage victims to navigate to their site and download evil installers. Another example, Gootloader, has used websites claiming to offer information on contracts and other legal or financial documents. This trend shows no signs of slowing as we move into 2023; in late 2022, one SEO poisoning campaign targeted almost 15,000 websites.
SEO poisoning is not the only way adversaries use search engines to their advantage. Malicious advertising, also called malvertising, also persisted in 2022. Malvertising is the use of fake ads on search engine pages that masquerade as legitimate websites to download software like Zoom or TeamViewer. Threats that used malvertising extensively in 2022 include AdSearch, IcedID, and stealer malware.
File type trends: LNK and MSI
Windows shortcut files, also known as LNK files, have also seen increased adversarial use in 2022. Proofpoint reported a 1,675 percent increase in LNK files in malicious campaigns between October 2021 and June 2022. LNK files are neither compressed archives nor container files. Instead, LNK files provide adversaries a way to execute binaries, scripts, and other arguments. Based on the specific arguments configured when a LNK file is created, it can point to and execute files or include scripts configured to download additional malware. Some prominent threats that leveraged LNK files in 2022 include Emotet, Bumblebee, and other families of non-phishing malware like Raspberry Robin.
Windows Installer (MSI) files
When the stealer Zloader combined malvertising and SEO poisoning in 2022, its installer took the form of Windows Installer (MSI) files. MSI files are used to install and update legitimate software on Windows systems. They are also used by adversaries to install malicious binaries, run scripts, and elevate system privileges. Zloader’s malicious MSI files appeared to be installers for versions of legitimate software. Other threats have used MSI files in their intrusions in 2022, including Qbot and Raspberry Robin.
What’s old is new again: USBs
Continuing the theme of everything old being new again, a number of threats leveraged infected USB external drives for initial access in 2022. USBs containing malicious payloads that infect systems when plugged in have been an evergreen problem in information security for a number of reasons. As with any external device, security teams have less control and visibility into what they may have installed on them. One notable threat spread by USBs this year is Raspberry Robin. Many types of USB malware, such as worms, establish persistence that can continue for years. In 2022, Gamarue exemplified how pre-existing infections can be exploited by threat actors. FIN7 and other espionage groups also leveraged USBs in 2022.