1
00:00:01,600 --> 00:00:11,160
Produced by PI Media. Hi,
I'm rand Levy. Welcome to CP Radio.

2
00:00:11,759 --> 00:00:17,359
According to Statista, the global cybersecurity
industry is expected to earn one hundred

3
00:00:17,399 --> 00:00:21,960
and sixty two billion dollars in twenty
twenty three. Five years from now,

4
00:00:22,160 --> 00:00:28,359
it's projected at over two hundred and
fifty billion. Large organizations spend thousands upon

5
00:00:28,480 --> 00:00:33,200
thousands, even millions of dollars in
a year trying to protect their systems,

6
00:00:34,000 --> 00:00:39,079
and small businesses will scrap together what
little they can get for some kind of

7
00:00:39,119 --> 00:00:45,159
protection, whether it's basic anti virus
or a password manager, phishing protections,

8
00:00:45,320 --> 00:00:50,000
firewalls, XDR we name it.
A massive amount of time, energy,

9
00:00:50,240 --> 00:00:56,240
money, manpower and other resources we
could otherwise spend on other things are by

10
00:00:56,320 --> 00:01:03,520
necessity dedicated to fighting cyber criminals every
day, which makes it almost unbelievable to

11
00:01:03,640 --> 00:01:08,560
think that just one simple policy change
from one company, with almost no cost

12
00:01:08,640 --> 00:01:14,959
to anybody and no effort involved,
could alter the entire course of cyberspace.

13
00:01:15,680 --> 00:01:22,879
And yet that is exactly what happened
about a year ago. Today. The

14
00:01:22,959 --> 00:01:29,359
following story is a microcosm of how
a single act from Microsoft change fundamentally,

15
00:01:29,599 --> 00:01:34,000
how even high level threat letters must
now go on about infecting their victims and

16
00:01:34,079 --> 00:01:42,040
the implications that follow when the entire
cybercrime ecosystem is forced to shift. At

17
00:01:42,159 --> 00:01:47,840
the center of this story is APT
thirty seven. APT thirty seven is a

18
00:01:47,879 --> 00:01:53,599
state sponsored actor from North Korea,
and they typically target their southern neighbors in

19
00:01:53,680 --> 00:02:00,519
South Korea. Sam Hendelman is a
threat intelligence analyst at Checkpoint. Recently,

20
00:02:00,719 --> 00:02:06,280
he and his colleagues were embedded in
research about North Korea's APT thirty seven.

21
00:02:06,599 --> 00:02:10,520
Also known by names like Ripper and
Scarcraft, the group is sort of a

22
00:02:10,599 --> 00:02:16,560
Swiss army knife for any of the
Kim Jungong regimes cyber needs. Although they

23
00:02:16,680 --> 00:02:22,960
usually attack South Korea, they have
also been seen targeting other countries such as

24
00:02:23,080 --> 00:02:29,520
Japan, Vietnam, and even recently
they were seeing targeting countries in the EU.

25
00:02:30,400 --> 00:02:34,199
The group has been around for over
a decade, at least since two

26
00:02:34,199 --> 00:02:38,360
thousand and twelve, and in that
time they've created a series of different trojan

27
00:02:38,439 --> 00:02:45,879
backdoors, such as Dolphin and Gold
backdoor and Connie. They actually have a

28
00:02:45,879 --> 00:02:49,120
lot more, but I won't list
them all right now. One of the

29
00:02:49,280 --> 00:02:53,560
most recent creations, first discovered in
twenty seventeen, is called rock Rat.

30
00:02:54,080 --> 00:02:59,960
In most ways. Rock rat is
like any other remote access trosian with Kepple.

31
00:03:00,159 --> 00:03:05,639
These including being able to download payloads, download shell code, delete files

32
00:03:05,719 --> 00:03:08,159
on the computer to clean up the
kind of commands that you would see in

33
00:03:08,560 --> 00:03:15,520
most other rats. Its most interesting
trait is how it interfaces with cloud services

34
00:03:15,560 --> 00:03:22,319
like dropbox, yandex cloud and peak
cloud. The attackers can upload files to

35
00:03:22,520 --> 00:03:25,759
the cloud service and the RAT is
able to download them and interpret them as

36
00:03:25,800 --> 00:03:34,120
commands and run additional payloads. And
what's interesting about using these services as a

37
00:03:34,120 --> 00:03:38,680
command and control infrastructure or C two
is that the attackers are able to use

38
00:03:38,680 --> 00:03:45,000
a very generic and well known services, which makes it harder for researchers to

39
00:03:45,080 --> 00:03:49,159
actually track their infrastructure because, for
example, we could have seen in the

40
00:03:49,199 --> 00:03:53,240
past that APT thirty seven uses A, B and c IP addresses, and

41
00:03:53,280 --> 00:03:58,960
then in the future we'd be able
to track those servers and it'd be easier

42
00:03:58,960 --> 00:04:03,240
for us to find. But instead
they opted into using cloud services, which

43
00:04:03,400 --> 00:04:09,240
make it a little more generic and
harder to track and make the traffic look

44
00:04:09,400 --> 00:04:16,199
more benign because it's common for people
to use these cloud services to get rock

45
00:04:16,319 --> 00:04:23,439
rat onto computers in South Korea and
abroad, APT thirty seven crafts phishing attack

46
00:04:23,680 --> 00:04:29,480
emails designed to be interesting enough to
click on. The lures that they use

47
00:04:29,839 --> 00:04:35,000
are tend to be connected to themes
related to relations with North Korea, including

48
00:04:35,040 --> 00:04:42,079
the Ministry of Reunification for escaped dissidents. We've seen them also use lures related

49
00:04:42,079 --> 00:04:46,240
to the private sector in South Korea, including some business documents that appear to

50
00:04:46,279 --> 00:04:51,439
be taken from previous hack. In
a recent campaign, for example, the

51
00:04:51,560 --> 00:04:56,639
lure that they used to deliver this
malware was a lot more generic and just

52
00:04:56,680 --> 00:05:00,480
seemed to be targeted to general people
in South kore Are. They use the

53
00:05:00,600 --> 00:05:05,600
lure using a bank called Cacao Bank, and it prompted the user to enter

54
00:05:05,639 --> 00:05:11,439
in their password for Cacao Bank.
The goal in any of these cases is,

55
00:05:11,439 --> 00:05:15,279
of course, to get a target
to download their own malware. And

56
00:05:15,399 --> 00:05:20,199
there's one trick hanckers love more than
any other for achieving that a malicious word

57
00:05:20,240 --> 00:05:27,720
document with a macro. So can
you just briefly explain what macros are and

58
00:05:27,839 --> 00:05:33,680
how hackers use them? So macros
are code that you can find in Microsoft

59
00:05:33,720 --> 00:05:41,439
Office documents that are intended to automate
different kinds of tasks. The whole intention

60
00:05:41,480 --> 00:05:46,160
of macros was to make life easier
for people to automate mundane tasks in office

61
00:05:46,199 --> 00:05:51,560
documents. For example, let's say
you have a word document and you had

62
00:05:51,600 --> 00:05:55,879
to write something in it, or
an Excel document you wanted to write something

63
00:05:55,920 --> 00:05:59,600
in it and you need to submit
it somewhere, and the author of the

64
00:05:59,720 --> 00:06:04,360
document puts in a button that you
can click to submit that data somewhere else,

65
00:06:04,399 --> 00:06:09,399
to the Internet. This is the
kind of thing that macros were created

66
00:06:09,439 --> 00:06:15,120
for, as well as maybe filling
out certain things in a document once you

67
00:06:15,199 --> 00:06:19,199
open it, which is why macros
support running code on opening a document on

68
00:06:19,319 --> 00:06:25,839
closing a document. Some people love
to use macros to automate any number of

69
00:06:26,000 --> 00:06:31,759
useful tasks that would otherwise take far
longer without them. But hackers eventually took

70
00:06:32,079 --> 00:06:38,519
these facts, took these aspects of
macros, and were able to use them

71
00:06:38,519 --> 00:06:43,959
in a malicious way. Hackers can
write scripts in VBA, the programming language

72
00:06:43,959 --> 00:06:47,759
for macros, that automate things they
want to do to their targets computers.

73
00:06:48,519 --> 00:06:53,759
So, for example, using the
hook of running code when you open a

74
00:06:53,800 --> 00:06:58,000
document is probably the most common way
to run a macro because it will open

75
00:06:58,240 --> 00:07:06,240
the code will run right when you
open the document. This usually is what's

76
00:07:06,279 --> 00:07:12,160
happening behind the scenes. When you
hear about a malicious attachment in an email

77
00:07:12,240 --> 00:07:16,759
file, somebody clicks to open it
and maybe chooses the option to enable macros,

78
00:07:16,759 --> 00:07:21,560
thinking that it's harmless, but in
fact allowing hacker's malware to run in

79
00:07:21,600 --> 00:07:28,120
the background. Over the years,
like baggy jeans and Britney spears, macros

80
00:07:28,240 --> 00:07:32,519
have gone through waves of being in
and out of favor. The first,

81
00:07:32,560 --> 00:07:40,319
like macroviruses that first came up,
happened like around nineteen ninety nine approximately,

82
00:07:40,639 --> 00:07:45,319
and macros were actually a common way
of spreading computer viruses like twenty years ago.

83
00:07:45,959 --> 00:07:50,160
And then what happened is that people
started thread actors started shifting more towards

84
00:07:50,279 --> 00:07:56,639
using exploits such as like exploits and
Internet Explorer, or even exploits and Microsoft

85
00:07:56,680 --> 00:08:01,040
Word and this was a better all
turn native because it allowed them to run

86
00:08:01,240 --> 00:08:07,079
code without you having to click enable
content, and it allowed code to just

87
00:08:07,160 --> 00:08:11,720
automatically run once you opened a web
page or opened a document, and so

88
00:08:11,879 --> 00:08:18,000
exploits actually became a lot more popular
for many years, until things like Internet

89
00:08:18,040 --> 00:08:22,800
Explorers started to become less common.
Flash started to become less common, and

90
00:08:22,839 --> 00:08:28,959
eventually both of those technologies which were
constantly, constantly exploited, were eventually killed

91
00:08:28,000 --> 00:08:33,840
off. Microsoft no longer supports Internet
Explore. Flash is also no longer developed

92
00:08:33,919 --> 00:08:37,799
or supported. Those technologies are gone, and modern browsers, such as Chrome

93
00:08:39,320 --> 00:08:46,080
and chromium based Edge Firefox, they've
become more difficult to exploit. So I

94
00:08:46,120 --> 00:08:50,759
think because of that, maybe around
I would say twenty sixteen or twenty seventeen,

95
00:08:50,840 --> 00:08:56,240
a lot of attackers started switching again
more to macros, which is what

96
00:08:56,279 --> 00:08:58,480
they had been using a long time
ago in the past, but it became

97
00:08:58,519 --> 00:09:05,720
the easy your vector to use to
attack. So ironically, it was precisely

98
00:09:05,799 --> 00:09:13,240
because popular software was becoming more secure
that macros became so rampant. So I

99
00:09:13,279 --> 00:09:16,440
would say the reason that macros were
kept around for so long is because so

100
00:09:16,519 --> 00:09:20,440
many people were already using them for
so many years. I mean macros have

101
00:09:20,480 --> 00:09:26,639
been around for I mean macro viruses
have been around for even over twenty years,

102
00:09:26,960 --> 00:09:30,759
so people have been using them for
even longer. The main thing is

103
00:09:30,799 --> 00:09:35,799
that people didn't want their code to
just stop working. You can probably automate

104
00:09:35,840 --> 00:09:39,840
these tasks in other ways without having
to embed them in the document, but

105
00:09:39,879 --> 00:09:45,159
this is what people were used to
and people don't like change, so they

106
00:09:45,240 --> 00:09:50,240
continued to do this for a long
while. Even as macros returned to the

107
00:09:50,320 --> 00:09:54,600
four in cybercrime, they were simply
accepted as effect of life. That is

108
00:09:54,840 --> 00:10:00,799
until February seventh, twenty twenty two, when Microsoft change in the course of

109
00:10:00,840 --> 00:10:07,639
cybersecurity with twelve words quote VBA,
macros obtained from the Internet will now be

110
00:10:07,679 --> 00:10:13,919
blocked by default. Actually implementing the
new rule turned out to be bumpy.

111
00:10:15,080 --> 00:10:20,320
Microsoft initially announced that they would start
blocking macros in February twenty twenty two,

112
00:10:20,000 --> 00:10:24,600
but then they quickly reversed this because
there was a lot of pushback from people

113
00:10:24,639 --> 00:10:30,399
who are using Office. So we
could see that there was actual pushback from

114
00:10:30,679 --> 00:10:35,600
people using the software because they really
wanted to continue using it. By June

115
00:10:35,639 --> 00:10:41,200
twenty twenty two, though the security
community went out over the Office Power users,

116
00:10:41,559 --> 00:10:46,200
the plan was back on, and
technically it's actually still possible to use

117
00:10:46,240 --> 00:10:50,759
it. It's just that macros are
disabled when they're downloaded from the Internet from

118
00:10:52,279 --> 00:10:56,360
like an email attachment if they have
a mark of the web tag on them.

119
00:10:56,799 --> 00:11:01,399
Hackers now needed an alternative to macros, but they were prepared. Microsoft

120
00:11:01,440 --> 00:11:07,919
first started talking about banning certain types
of macros back in October twenty twenty one,

121
00:11:07,559 --> 00:11:13,679
certain types of Excel macros, that
is XLMS for Excel specifically. I

122
00:11:13,720 --> 00:11:16,639
think there was already a beginning.
There was a sense that Microsoft was going

123
00:11:16,720 --> 00:11:24,080
to fully banned macros eventually, and
there started to be a shift. According

124
00:11:24,120 --> 00:11:30,279
to data from cybersecurity company Proofpoint,
in two twenty two, the year that

125
00:11:30,360 --> 00:11:35,559
Microsoft rolled out its Internet Macro's band, macro enabled cyber attacks decreased by two

126
00:11:35,679 --> 00:11:41,399
thirds, and this trend continued in
two twenty three, except the cyber attacks

127
00:11:41,480 --> 00:11:48,679
themselves. Those didn't stop. Look
at APT thirty seven. They surely wouldn't

128
00:11:48,759 --> 00:11:52,559
let a simple change in Windows get
in the way of their attacks against their

129
00:11:52,600 --> 00:11:58,600
southern neighbors. They're still using North
Korean based lures, but just instead of

130
00:11:58,679 --> 00:12:05,000
only using word documents with malicious macros
inside of them, they started using zip

131
00:12:05,039 --> 00:12:11,399
files and ISO files that contain several
benign documents, and then one ellen k

132
00:12:13,039 --> 00:12:18,639
that's masquerading itself as a benign document
but it actually runs malicious PowerShell in the

133
00:12:18,679 --> 00:12:24,919
background. ZIP folders, ISO,
optical disc files, LANK shortcut files,

134
00:12:24,960 --> 00:12:31,320
APT thirty seven continued spreading its rock
rat backdoor, only now be a more

135
00:12:31,480 --> 00:12:37,200
creative means. And so this isn't
like a complete takeover, It isn't a

136
00:12:37,200 --> 00:12:43,759
complete replacement. It's really more that
APT thirty seven added a new tool to

137
00:12:43,799 --> 00:12:48,159
their tool set and they're starting to
use ellen K's a little bit more.

138
00:12:48,960 --> 00:12:52,039
We still saw even in twenty twenty
three that they were sometimes using macros,

139
00:12:52,120 --> 00:12:56,399
but most of the time most of
the samples that we saw happen to be

140
00:12:56,639 --> 00:13:07,759
ellen K's. This is just one
file type attackers can manipulate for their own

141
00:13:07,840 --> 00:13:11,960
purposes, and other threat actors have
come up with their own clever workarounds.

142
00:13:13,399 --> 00:13:18,639
Some used hdmils smuggling, sneaking and
encoded malicious script into an hdmill attachment,

143
00:13:20,000 --> 00:13:24,120
which gets decoded and runs when the
attachment is open. Some have opted for

144
00:13:24,200 --> 00:13:31,039
even simpler solutions than that, like
old reliable PDF files containing hyperlinks. Another

145
00:13:31,080 --> 00:13:37,600
trend emerged around last December. A
lot of malware started using one note documents.

146
00:13:37,159 --> 00:13:43,120
Basically, they would include a VB
script payloads inside the one note document

147
00:13:43,320 --> 00:13:48,360
and trick the user into clicking a
button that would actually run them. So

148
00:13:48,519 --> 00:13:52,879
we saw that in emotats and cubot
campaigns, as well as others. By

149
00:13:52,919 --> 00:13:58,679
the following month, dozens of hacker
groups hopped on the trend, using one

150
00:13:58,720 --> 00:14:03,360
note to execute over one hundred and
twenty attacks in the first few months of

151
00:14:03,639 --> 00:14:07,240
twenty twenty three. And now this
was mostly cyber crime that was abusing this

152
00:14:07,279 --> 00:14:13,840
technique, but there was actually one
instance where Kimsuki, another North Korean apt

153
00:14:13,639 --> 00:14:20,279
was seen using this technique as well. At the end of the day,

154
00:14:20,639 --> 00:14:28,279
few decisions have ever made such an
impact in cybersecurity as Microsoft's decision to block

155
00:14:28,440 --> 00:14:33,720
Internet downloaded macros. But that's not
to say there's a single answer to cyber

156
00:14:33,879 --> 00:14:39,240
security, no possible thing anyone can
do to prevent all of it. We

157
00:14:39,399 --> 00:14:46,000
forced hackers to change by reducing the
attack surface, and my opinion in any

158
00:14:46,039 --> 00:14:50,519
way that we can reduce the amount
of possibilities that hackers have the better.

159
00:14:50,960 --> 00:14:56,759
However, we know that attackers will
always try to adapt to these changes and

160
00:14:56,840 --> 00:15:01,240
come up with new ways of attacking. But security is constantly just been a

161
00:15:01,440 --> 00:15:05,320
game of cat and mouse, where
attackers do something new and then Blue team

162
00:15:05,399 --> 00:15:11,200
defenders have to catch up to that
and try to respond. And the fact

163
00:15:11,279 --> 00:15:15,799
of the matter is the changes the
trends that we've been seeing when shifting away

164
00:15:15,799 --> 00:15:20,200
from macros to other methods. They're
not necessarily all, they're not all novel,

165
00:15:20,360 --> 00:15:26,039
or they're not like impossible to follow. So we just need to keep

166
00:15:26,080 --> 00:15:28,919
monitoring all these different types of methods
and making sure that we defend against them

167
00:15:28,919 --> 00:15:35,960
properly. Criminals kept hacking our software, so we made a software more secure,

168
00:15:35,360 --> 00:15:41,399
which forced hackers to change the methods, which pressured Microsoft to change their

169
00:15:41,440 --> 00:15:46,600
policy, which forced hackers to evolve
once more. Now again it's our turn.

170
00:15:50,320 --> 00:15:54,399
That's it for this episode. Thank
you for listening. For past episodes,

171
00:15:54,519 --> 00:15:58,120
visited Checkpoints Research blog at research dot
checkpoint dot com, and you can

172
00:15:58,120 --> 00:16:03,159
follow Checkpoint Research on Twitter or follow
me at rand Levy. That's r A

173
00:16:03,360 --> 00:16:08,000
n l e v I. CP
Radio is produced by PI Media, written

174
00:16:08,039 --> 00:16:14,159
by Nate Nielson, produced by Hila
Shemesh, and edited and narrated by Rand

175
00:16:14,240 --> 00:16:22,440
Levy. See you next time.
Bye bye,