{"id":20340,"date":"2022-10-12T05:20:55","date_gmt":"2022-10-12T13:20:55","guid":{"rendered":"https:\/\/www.palada.net\/index.php\/2022\/10\/12\/news-14073\/"},"modified":"2022-10-12T05:20:55","modified_gmt":"2022-10-12T13:20:55","slug":"news-14073","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2022\/10\/12\/news-14073\/","title":{"rendered":"Are threat actors turning to archives and disk images as macro usage dwindles?"},"content":{"rendered":"

Credit to Author: Matt Wixey| Date: Wed, 12 Oct 2022 11:00:28 +0000<\/strong><\/p>\n

\n

Malicious macros in Office documents have long been a favorite tactic of threat actors. So Microsoft\u2019s announcement in February 2022<\/a> that macros in documents originating from the internet would be blocked by default came as welcome news (despite a brief rollback in July<\/a>). XLM4 macros were also disabled by default<\/a> in Microsoft 365 as of February 2022.<\/p>\n

But threat actors have always evolved in response to security developments, and this looks like it will be no exception. Following the rollout of Microsoft\u2019s new policy<\/a>, we\u2019ve seen attacks using archive and disk image files \u2013 including the usual suspects (ZIP and RAR), but also more obscure formats like ARJ, ACE, LZH, VHD, and XZ \u2013 accompanying a decrease in detections of popular Office formats.<\/p>\n

Archives can make it harder for detection products to inspect and flag malicious content \u2013 even more so with less-popular formats, as they tend to be less well-understood. They can also allow threat actors to bypass the \u2018Mark of the Web’ (MOTW), the tag Microsoft inserts into files originating from the internet. While the MOTW is usually present in the archive file itself, it isn\u2019t always propagated to an archive\u2019s contents once extracted.<\/p>\n

But there are some positives. Threat actors sometimes adopt more convoluted attack chains when using archives, which provides more opportunities to detect and block malicious activity. They\u2019re likely less familiar to many users, which may make them pause before opening them (although this cuts both ways, as users may be less aware of the associated risks).<\/p>\n

Our Sophos X-Ops researchers have also been working hard to expand our coverage to protect against lesser-known archive types. And some archive software vendors have begun to offer MOTW support, so that extracted contents will also contain the tag.<\/p>\n

Mark-of-the-web<\/h2>\n

MOTW was originally an Internet Explorer feature<\/a> that forced saved webpages to run in the same security zone of the site they were saved from (it could also be added manually to HTML documents meant to be viewed locally, such as product manuals and help guides).<\/p>\n

MOTW was designed to protect users by ensuring that local webpages didn\u2019t have access to the entire filesystem by running in the \u2018Local Machine zone,\u2019 which has fewer security restrictions. Instead, those webpages were forced to run in the zone of the location the page was saved from.
In practice, this meant an HTML comment was added to a saved webpage, like this:<\/p>\n

<!-- saved from url=(0028)https:\/\/www.news.sophos.com\/ --><\/pre>\n
Internet Explorer would parse the page for this comment and determine which security policy to apply to the contents, based on the user\u2019s zone settings.
 Microsoft later expanded MOTW to apply to files originating from the internet, including browser downloads and email attachments, and integrated MOTW handling throughout Windows. Instead of an HTML comment, an Alternate Data Stream (ADS) called Zone.Identifier is added to files, and an element of this stream, called ZoneId, contains a value indicating which zone the file came from.<\/p>\n
Possible ZoneId values include:<\/p>\n