Email Infection Chains Are Diversifying In 2022

Uploaded on 2022-09-05 in TECHNOLOGY--Resilience, NEWS-News Analysis, FREE TO VIEW

It may come as a surprise that most burglars gain access to victims’ homes by walking through the front door. This is because every home has one, and very often, they are left unlocked. For many years, Microsoft Office documents have been our digital front doors. 

Almost all of us will have used Office docs at some point, be it Word, PowerPoint or Excel, and everyday thousands of emails are exchanged with these types of documents attached. Most of the time, we don’t even question their source, making them a very wide-open door indeed. 

According to Check Point Software's latest threat intelligence report, in the UK  70% of malicious files were delivered via email in the last 30 days and with these messages including links as well as MS word docs, such attacks will just escalate. 

The malicious use of Microsoft docs occurs so frequently that they even have their own name – maldocs.

One of the main techniques that cyber criminals use to create them involves the abuse of Office macros. Thankfully, Microsoft has now started the process to block macros by default, but it took a while to get there. So, what does this mean for your business? Is worrying about suspicious attachments a thing of the past? Let’s take a look at how email infection chains are diversifying in 2022.  

The Long-standing Problem With Macros 

Office macros are special purpose programs that have been used by cyber criminals to deliver malware via email attachments for years. Security companies have been fighting the practice for years, but it was always clear that the key to preventing macro abuse lay in the hands of Microsoft itself. Indeed, in February this year, Microsoft announced it would change Office default settings to disable macros – only to roll back on that decision in July, and then to announce that the process will continue as it was planned.

Although proof of concept (PoC) and active exploits using VBA macros appeared as early as 1995, they lacked info-stealing functionality and were mostly used for pranks. These types of attacks died out in 2010 when Microsoft introduced “protected view” - a yellow ribbon warning users not to enable macros’ functionality. T

The use of macros was re-introduced when threat actors realised that, with a bit of social engineering, they could convince users to enable macros and then use them to download and execute other binary files. 

Although Microsoft acknowledged the issue multiple times, the malicious use of Office macros and vulnerabilities has increased in popularity over the years. By January 2022, our analysis found that as much as 61% percent of all malicious payloads attached to emails sent to our clients were various document types such as xlsx, xlsm, docx, doc, ppt, and others. The Check Point ThreatCloud index latest figures show that Excel files alone make up 49% of all malicious files received by email.

Typically, a carefully socially engineered email carrying an Excel file with a malicious macro is the weapon of choice for unsophisticated actors as well as top notch APT groups.

Cyber Criminals Getting Creative 

After announcing its intention to block VBA macros on Office docs in February, an unexpected twist to the plot came in early July, when Microsoft reversed its decision. Replying to a user complaint, a Microsoft representative admitted that they had rolled back on the decision “based on feedback”. 

Microsoft faced a huge backlash from users and has since resumed the rollout of VBA macro blocking, explaining that the July pullback was only temporary.

Against this backdrop, threat actors have begun exploring alternatives for non-executable malicious email chains which mostly start with different types of archive file like .ZIP and . RAR. In many cases those archive files are password protected, with the password written in the body of the email. These archive files mostly include the malicious file, or in some cases include an additional benign file that leads to the malicious file.

In April, Emotet was reported to be emailing OneDrive URL links of zip files containing malicious xll files. These xll files are .dll libraries designed for Excel, and threat actors typically use an exported xlAutoOpen function to download and run malicious payloads. Various existing tools and services, such as Excel-DNA, are already available to build .xll downloaders. 

Another type of archive files that became a common alternative to maldocs is the use of ISO archives, which bypass the Mark-of-the-Web security mechanism. Together with a combination of .hta payload, they can look like legitimate documents but run malicious code in the background.

Bumblebee, a malware loader detected in February, delivers various payloads that often result in ransomware attacks, and is reported to initially involve .iso files delivered via email. In June, it was reported that the malware, Snake Keylogger, had returned to the Check Point Software monthly global threat index after a long absence.

Previously, the malware had generally been spread via emails that include docx or xlsx attachments with malicious macros, however its return to the index was a result of it being distributed via PDF files - possibly due in part to Microsoft’s announcement. 

So, although internet macros will now be blocked by default, cybercriminals are continuing to evolve their tactics, becoming more creative with new file types, just as we’ve found with Emotet, Bumblebee and Snake. Using different archive files is such a success for the cybercriminals, as most of the people do not view those files as potentially malicious and trust to the files that are inside the archives as those do not come directly from the web.

Looking ahead, we can only expect more sophisticated malware families to accelerate the development of new infection chains, with different file types that are password protected to avoid detection, as advanced social engineering attacks increase. 

It has never been more important for your employees to understand the risks of social engineering and how to identify an attack.

Cyber criminals will often send a simple email that does not contain any malware but impersonates someone you know just to get into conversation with you. Then, after gaining your trust, the malicious file will be sent. And remember, it may no longer be an Office document or .exe file but another file type such as a .iso or PDF or infection chains that combine different file types.

This user education is one of the most important parts of an effective cyber security strategy, but it may also be wise to have a robust email security solution in place, that quarantines and inspects attachments, preventing any type of malicious file from entering the network in the first place.

Ian Porteous is Regional Director, Security Engineering, UK&I at Check Point Software

You Might Also Read: 

Cyber Criminals Increasingly Focus On Mobile Devices:

 

« Understanding Fake News
Improving The Safety & Stability Of Artificial Intelligence »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

British Insurance Brokers’ Association (BIBA)

British Insurance Brokers’ Association (BIBA)

BIBA is the UK’s leading general insurance intermediary organisation. Use the ‘Find Insurance‘ section of the BIBA website to find providers of cyber risk insurance in the UK.

Conference-Service.com

Conference-Service.com

Conference-Service.com provides a categorised calendar of conferences and events which includes Information Security.

Cyber Fusion Center - Maryville University

Cyber Fusion Center - Maryville University

Maryville University Cyber Fusion Center is a virtual lab for working on real-world cyber security challenges.

CyberVista

CyberVista

CyberVista is a cybersecurity training education and workforce development company. Our mission is to eliminate the skills gap by creating job ready professionals.

Keepnet Labs

Keepnet Labs

Keepnet Labs is a phishing defence platform that provides a holistic approach to people, processes and technology to reduce breaches and data loss and presents anti-phishing solutions.

Cytelligence

Cytelligence

Cytelligence is a cyber security consulting company with deep expertise in Cyber Breach Response, Cyber Breach Investigations, and Digital Forensics.

Cynamics

Cynamics

Cynamics is the only network monitoring solution built specifically for Smart City, Public Safety and Critical Infrastructure networks.

Netizen

Netizen

Netizen is an award-winning company that develops and leverages innovative solutions to enable a more secure cyberspace for clients in government and commercial markets.

Talon Cyber Security

Talon Cyber Security

Talon delivers the leading enterprise browser designed to bring security to managed and unmanaged devices, regardless of location, device type or operating system.

IN4 Group

IN4 Group

IN4 Group is a skills, innovation and start-up services provider that specialises in supporting businesses with the training, communities, networks and advice they need to scale.

Global Cybersecurity Association (GCA)

Global Cybersecurity Association (GCA)

GCA’s Symposium and conferences featuring global thought leaders and CISOs provide a global best practice perspective on cybersecurity.

Cyber Security Canada

Cyber Security Canada

Cyber Security Canada is an accredited Certification Body for government-backed Cyber Security Certification Programs, designed specifically for small and medium-sized Canadian businesses.

TechBase

TechBase

TechBase is an innovation and start-up center offering technology-oriented start-ups optimal conditions for successful business development.

Cyber Security Authority (CSA) - Ghana

Cyber Security Authority (CSA) - Ghana

The Cyber Security Authority has been established to regulate cybersecurity activities in Ghana.

Xact IT Solutions

Xact IT Solutions

Xact IT Solutions are a certified cybersecurity firm offering cybersecurity, compliance and managed services.

Panoplia Digital Protection

Panoplia Digital Protection

Panoplia Digital Protection is a cutting-edge cybersecurity company that leverages the power of AI and ML to help businesses and consumers protect themselves against cyber threats.