Again, 7-Zip’s June update may complicate an adversary’s ability to abuse ZIP files but only if users opt in. They do not have a Zone Identifier ADS attribute, so they can not have a MOTW. Throughout the year, we observed compressed archives, especially RAR or ZIP files, used as a malicious nested attachment’s outer layer. These updates may reduce the misuse of ZIP and ISO files in 2023. In November 2022, Microsoft released a security update that propagated MOTW identifiers to some ZIP and ISO files. In June 2022, 7-Zip released an update that added an opt-in feature that could add the MOTW to ZIP files. They rapidly shifted away from malicious macros in their phishing emails and began leveraging container files and compressed files to deliver their malware, often nesting these file types within each other in an attempt to further bypass security controls. Compressed archives (ZIP, RAR) and container files (ISO, VHD) are types of files that may not have the MOTW, meaning they won’t be restricted, blocked, or generate warning prompts in the same way as files that do contain the mark.įollowing Microsoft’s announcement, adversaries across all verticals changed their techniques. It depends on several factors, including the software used to download the file, the file format, and other utilities with features that may or may not be enabled. Not all file types are automatically assigned the MOTW. The internet is not considered a trusted source, meaning files with the Zone.Identifier ADS value of 3-commonly known as the Mark-of-the-Web (MOTW)-can be subject to more stringent security measures. Key to implementing this change is the Zone Identifier Alternate Data Stream (ADS) value assigned to downloaded files and attachments, with the specific value based on whether or not the file came from a trusted location. In February 2022, Microsoft announced that they would start blocking VBA macros by default across their entire product suite.
Phishing trend: Macros are out, compressed files and containers are in Macros traded in for newer delivery vehicles USBs, a well-known threat vector for decades, saw a resurgence in use by new malware families and established adversaries. Adversaries manipulated search engine ads and results to lure users into downloading malicious installers.
Weaponized Microsoft documents and malicious macros waned in favor of evil binaries hidden within nested layers of container files and compressed archives. In 2022 we saw major malware campaigns leverage vintage tradecraft in new ways, experimenting with delivery vehicles and file types in an attempt to evade detection.
0 kommentar(er)
