Threat actors turn to QR codes and other creative techniques as macros are blocked

The default blocking of macros in MS Office is forcing threat actors to be more creative with their attack methods, according to the latest report from HP Wolf Security.

There have been increases in the levels of malware delivered in PDFs and zip files, as well as a rise in 'scan scams' using QR codes to trick users into opening links on mobile devices.

"We have seen malware distributors like Emotet try to work around Office's stricter macro policy with complex social engineering tactics, which we believe are proving less effective. But when one door closes another opens -- as shown by the rise in scan scams, malvertising, archives, and PDF malware," says Alex Holland, senior malware analyst with the HP Wolf Security threat research team. "Users should look out for emails and websites that ask to scan QR codes and give up sensitive data, and PDF files linking to password-protected archives."

Since October 2022, HP has seen almost daily QR code scam campaigns. These trick users into scanning QR codes from their PCs using their mobile devices -- potentially to take advantage of weaker phishing protection and detection on such devices. The QR codes then direct users to malicious websites asking for credit and debit card details. Examples in Q4 include phishing campaigns masquerading as parcel delivery companies seeking payment.

There's also been a 38 percent rise in malicious PDF attachments. Recent attacks use embedded images that link to encrypted malicious ZIP files, bypassing web gateway scanners. The PDF instructions contain a password that the user is tricked into entering to unpack a ZIP file, this then deploys QakBot or IcedID malware to gain unauthorized access to systems and provide beachheads to deploy ransomware.

Archive formats are another popular attack mode, with 42 percent of malware files delivered in files like ZIP, RAR, and IMG. The popularity of archives has risen 20 percent since Q1 2022, as threat actors switch to scripts to run their payloads. This is compared to 38 percent of malware delivered through Office files such as Microsoft Word, Excel, and PowerPoint.

In Q4, HP also uncovered 24 popular software projects imitated in malvertising campaigns used to infect PCs with eight malware families -- compared to just two similar campaigns in the previous year. These attacks rely on users clicking on search engine advertisements, which lead to malicious websites that look almost identical to the real websites.

You can get the full report on the Wolf Security blog.

Photo Credit: zhu difeng/Shutterstock