Threat actors have been veering from leveraging Office macros in ransomware attacks since Microsoft announced that such macros would be disabled by default, with the rate of pre-ransomware events using VBA or Excel 4.0 macros dropping from 55% to 9% between the first and second quarter of 2022, VentureBeat reports.
Default blocking of macros has prompted malicious actors to switch to HTML application, shortcut, and disk image files for initial network access, according to a report from Expel.
"Microsofts announcement that it would block macros by default in Microsoft Office applications appears to have changed the game for attackers," said Expel Vice President of Security Operations Jonathan Hencinski.
New attacks using proven techniques could be curbed by configuring Windows Script Files, HTML for Application, and JavaScript files to operate with Notepad, Hencinski said.
Organizations have also been urged to update Windows Explorer to omit ISO file extensions in an effort to prevent unintended execution of malicious software.
As part of its latest attacks discovered in June, Tropic Tropper exploited several known Microsoft Exchange Server and Adobe ColdFusion vulnerabilities to distribute an updated China Chopper web shell on a server hosting the Umbraco open-source content management system.
More than 50 Alibaba-hosted command-and-control servers have been leveraged to facilitate the distribution of the backdoor, which impersonates the Java, bash, sshd, SQLite, and edr-agent utilities.
Angola and the Democratic Republic of Congo, which is a new Intellexa client, may have leveraged new Predator infrastructure to enable spyware staging and exploitation, according to an analysis from Recorded Future's Insikt Group.