Skip to content

Malicious Macros, Dark Utilities, LockBit: Tanium Cyber Threat Intelligence Roundup

Ransomware gangs are exploiting macros, threat actors are leveraging the Dark Utilities C2 as-a-service platform, and LockBit ransomware is abusing Windows Defender for Cobalt Strike attacks

Emerging Issue

This week, we highlight a recent study that suggests 87% of ransomware gangs are exploiting malicious macros. These statistics, which were gathered before the implementation of Microsoft’s new macros-blocking policy, stand in contrast to a Proofpoint report revealing how phishers are adapting to Microsoft’s policy following its rollout. In addition, attackers are now using the Dark Utilities C2 as-a-service platform in malware campaigns. Plus, LockBit ransomware is abusing Windows Defender to load Cobalt Strike – another example of the way cybercriminals are increasingly leveraging living-off-the-land (LotL) techniques and abusing trusted tools and cloud services to store and deliver payloads.

1. Dark web study suggests 87% of ransomware gangs exploit malicious macros

Machine identity management firm Venafi has published new research suggesting that 87% of the ransomware found on the dark web is delivered via malicious macros to infect targeted systems.

Venafi reached this conclusion through joint research with criminal intelligence provider Forensic Pathways, conducted between November 2021 and March 2022. The research analyzed 35 million dark web URLs, including those belonging to hacking marketplaces and forums. The researchers uncovered 475 web pages pushing sophisticated ransomware products and services, with several high-profile groups aggressively marketing ransomware-as-a-service (RaaS) programs to potential affiliates.

Key takeaways

Microsoft began blocking XL4 and VBA macros by default for Office users in October 2021 and February 2022, respectively. (This was quickly followed a few weeks later by the software giant’s announcement that it was temporarily disabling the popular policy, only for Microsoft to change course again and reimplement the lauded policy shortly thereafter.)

Given the timing of both the study and Microsoft’s step towards securing its Office products, it’s little wonder that the main takeaway touted by Venafi’s researchers is their discovery that 87% of the ransomware found on the dark web was reportedly delivered with the help of malicious macros. Although, if you look at the time period during which Venafi conducted its research, it becomes a little less surprising, as Microsoft didn’t implement its new macros policy until some point between April and June of 2022 – right after Venafi wrapped up its study. Even after temporarily disabling the policy, Microsoft swiftly re-implemented it in July 2022.

In fact, while Venafi’s “87%” statistic may seem staggering at first glance, one should keep in mind that in the time since Microsoft’s rollout of the macro-blocking policy, the number of campaigns leveraging container files, including ISO and RAR, and Windows Shortcut (LNK) attachments, increased nearly 175% according to a Proofpoint study on how phishing actors have been adapting in a “post-macros” world. Here’s a hint: they’re adapting just fine; using container files and other methods to bypass Microsoft’s macros-blocking security mechanism.

Here are some other key takeaways presented by Venafi’s research:

  • 30 different brands of ransomware were identified within marketplace listings and forum discussions.
  • Many strains of ransomware being sold — such as Babuk, GoldenEye, Darkside/BlackCat, Egregor, HiddenTear and WannaCry — have been successfully used in high-profile attacks.
  • Ransomware strains used in high-profile attacks command a higher price for associated services. For example, the most expensive listing was $1,262 for a customized version of Darkside ransomware, which was used in the infamous Colonial Pipeline ransomware attack of 2021.
  • Source code listings for well-known ransomware generally command higher price points. For example, Babuk source code is going for $950 and Paradise source code is selling for $593. This is interesting since Babuk’s source code was leaked ages ago and has been available on dark web forums ever since.

The researchers also uncovered a wide range of services and tools that make it easier for novice attackers to launch sophisticated ransomware attacks. Services with the most listings include those containing source code, build services, custom development services, and ransomware packages with step-by-step tutorials.

Analyst comments from Tanium’s Cyber Threat Intelligence Team

“This study provides a snapshot of a moment in time when macros were the go-to delivery mechanism for an overwhelming number of ransomware operations. The specific catalyst that drove Microsoft’s decision to implement a policy to block macros by default is unclear — especially considering that phishing is – and has been for years – the number one initial infection vector, with countless phishing campaigns making use of weaponized Microsoft documents featuring malicious macros.

That said, regardless of the reasons behind the policy’s timing, Microsoft should be commended for taking a proactive step towards immeasurably reducing the attack surface at organizations across the globe.”

2. Attackers are leveraging the Dark Utilities ‘C2aaS’ platform in malware campaigns targeting Windows and Linux systems

A recent report from the Cisco Talos intelligence team analyzes the new Dark Utilities platform that provides full-featured command-and-control (C2) capabilities to adversaries.

Since its initial release in early 2022, researchers have observed malware samples in the wild leveraging the platform to facilitate remote access.

What is Dark Utilities?

Dark Utilities is a new C2 platform first observed in early 2022 offering a variety of services, including remote system access, DDoS capabilities, and cryptocurrency mining.

The C2-as-a-service (C2aaS) platform provides adversaries with a range of payloads to be executed on victim systems, allowing the attacker to register with the service and establish a C2 channel.

Dark Utilities currently supports Windows, Linux, and Python-based payloads, making it even easier for attackers to target multiple platforms. This also aligns with current research showing that more versatile malware platforms (capable of targeting multiple operating systems) are more attractive to threat actors, and perform more successfully on dark web marketplaces.

Currently, the platform has about 3,000 users enrolled at € 9.99 ($10.21) for access to the platform, payloads, and API endpoints. The platform’s operator has also established Discord and Telegram communities to provide technical support and assistance for its customers.

Analyst comments from Tanium’s Cyber Threat Intelligence Team

“The low price of this C2 platform, coupled with its significant variety of features, makes Dark Utilities quite attractive to threat actors looking for an easy way to engage in cybercrime of any nature.

We can already see the mileage this C2aaS is getting with its 3,000 users enrolled over the span of just a few short months. Even more noteworthy is the platform’s use of the InterPlanetary File System (IPFS) to host its malicious payloads. As CTI has previously reported, threat actors are increasingly leveraging IPFS URLs and infrastructure to host payloads due to its decentralized, peer-to-peer (P2P) distributed storage capabilities. IPFS makes it easy to store and share malicious content, and is highly resistant to disruptions at the hands of law enforcement as a result of its structure.

CTI expects to continue to see IPFS-associated URLs increasingly leveraged by cybercriminals.”

3. LockBit ransomware abuses Windows Defender to load Cobalt Strike

New research from SentinelOne reveals that the LockBit 3.0 operation is abusing the Windows Defender command line tool to side-load malicious DLLs that decrypt and install Cobalt Strike beacons on compromised systems.

LockBit 3.0 ransomware, also referred to as LockBit Black, is an evolution of the LockBit ransomware-as-a-service (RaaS) model. LockBit 3.0 was allegedly created around June 2022 after critical bugs were discovered in LockBit’s 2.0 version.

The new version includes several new features/improvements:

  • To improve resilience, the operators have been aggressive with regards to standing up multiple mirrors for their leaked data and publicizing the site URLs. The operation has also added an instant search tool to its leak site (a trend CTI previously reported on, and predicted would spread like wildfire among extortion/ransomware operations – it has).
  • New management features were introduced for affiliates of the RaaS.
  • Zcash was added for victim payments in addition to Monero and Bitcoin.
  • It achieves persistence via the installation of System Services. Each execution of the payload installs multiple services.
  • It writes a copy of itself to the %programdata% directory and launches from this process.
  • New anti-analysis techniques, including code packing, obfuscation and dynamic resolution of function addresses, function trampolines, and debugging techniques.

Now, SentinelOne has observed LockBit utilizing a legitimate tool, Windows Defender, to load Cobalt Strike beacons.

Analyst comments from Tanium’s Cyber Threat Intelligence Team

“It is not clear why LockBit has pivoted to Windows Defender to side-load Cobalt Strike beacons, but it is most likely an effort to bypass standard security solutions. It’s important for organizations to be aware that threat actors are (and have been) using legitimate tools to aid in the loading of Cobalt Strike beacons, and this is a trend that CTI has observed increasing as of late. While not directly related to this story, other threat actors are also increasingly abusing publicly available, trusted cloud resources to store and deliver malware being another notable example. Organizations need to monitor changes to their critical security tools and avoid overlooking suspicious activity resulting from legitimate tools simply because the tool is trusted. The same goes for the trusted cloud services companies rely on to support their daily operations.”

Hunt down cyber threats with Tanium

Hackers are working overtime to launch sophisticated, targeted attacks against enterprises across all verticals. Businesses need to take the offensive, and hunt down threats before they impact operations.

Our Converged Endpoint Management (XEM) platform makes this easy, by providing advanced threat hunting capabilities. To experience our platform in action, try it today.


Explore our recent security recaps

August 2: Top incident response trends from Q2, the latest on the new ‘CosmicStrand’ UEFI rootkit, and Censys discovers evidence of Russia-based ransomware network gaining traction in the U.S.

July 27: New strategies from Russian APT29 hackers, the latest on CloudMensis spyware, and an update on Lightning Framework Linux malware

July 19: Searchable ransomware data, Chinese state-sponsored actors targeting Russia, and rising Qakbot malware attacks

Tanium CTI

Tanium's Cyber Threat Intelligence (CTI) analysts process and extract trends from the daily cyber landscape to curate and deliver current intel to stakeholders around threats impacting business and security.