Crime, Uh, Finds A Way:
The Evolution of Ecrime in a Post-Macro World
Over the last year, the cybercriminal ecosystem has experienced a monumental shift in activity and threat behavior in a way researchers have not previously seen. (Almost like the DNA of ecrime actors has been engineered to respond to changes in their habitat.) This is driven by Microsoft blocking macros by default and forcing everyone along the threat actor food chain -- from the lamest skiddies to the most experienced cybercriminals that enable major ransomware attacks -- to change the way they conduct business. And new attack chains just keep hatching.
Based on our unique telemetry looking at billions of messages per day, Proofpoint researchers have seen widespread experimentation in payload delivery, using old filetypes, weird attack chains, and many new tricks (clever girls!) that result in malware infections, including ransomware.
This activity tells us a few interesting things about the overall ecrime threat landscape:
Macros have all but gone extinct, and actors continue to try and find the next big apex TTPs. Behavior shifts from certain threat actors might occur for just days or weeks before pivoting to something new.
Threat actors follow the leader. OneNote was the most recent example of this, but we see the ecrime threat landscape really shift with whatever the hot new filetype is — we’ve seen threat actors start using things like VHD, CHM, PDF, large compressed files, HTML smuggling, and these typically start with just a handful of campaigns then you see a wave of activity all using the same techniques.
In this talk, we’ll show unique data from multiple cybercriminal threats that tells a story about how the ecrime actors always find a way to develop new techniques in response to defenders. And, how techniques are quickly identified by the security community to continue to keep our users safe from evolving threats.