by Maria Patricia Revilla Dacuno, Researcher, Tactical Defense Unit
2020’s spam trends, such as using pandemic-related information as a lure, the prevalence of office documents as an infection vector, as well as password protecting malicious attachments that include exotic archive filetypes, and the use of cloud services to host malicious content, will likely continue in 2021.
Until the Covid situation dies down, spam campaigns will continue to follow remote-work and pandemic-related topics (vaccines, delayed shipping announcements from courier services, etc.). Threat actors know that many people are eager to receive valuable information related to the status of the pandemic (especially in their immediate area). Attackers have always taken advantage of current events to make their emails relevant enough for users to open and click malicious content.
In addition to the usual office documents with malicious VBA macros, researchers observed Excel 4.0 macros (known as “formulas”) become popular with attackers in 2020. By using its features, attackers implemented anti-sandbox techniques that check settings (such as mouse and audio capabilities) that can indicate a possible sandbox environment. We can tell attackers are discovering old features for office documents that can be used to deliver attacks, and we can still expect office documents to be a prevalent infection vector in spam. The use of Excel 4.0 macros by threat actors is most likely to continue in 2021.
Campaigns using passwords to protect malicious attachments have occasionally been seen in spam. Threat actors use this technique to prevent malicious attachments from automatic analysis by sandboxes, and also from being scanned by security products. The technique was present in Emotet campaigns in 2020, and we can expect more threat actors to follow suit.
The use of cloud services has also become popular with threat actors. With popular loaders such as GuLoader, and the recent loaders for Ryuk ransomware attacks (Buer and BazarLoader) we can expect that cyber criminals will continue to leverage cloud services in spam campaigns, whether for phishing or malware campaigns that are using these services as repositories for delivering payloads.