cxo voice
  • Home
  • News
  • Leaders Talk
  • Expert Opinion
No Result
View All Result
  • Home
  • News
  • Leaders Talk
  • Expert Opinion
No Result
View All Result
Leaders Talk and Latest Tech News | CXO VOICE
No Result
View All Result
Home News Cyber Security

Email Malware Evolving Into a Dangerous Attack Source

Sundar Balasubramanian by Sundar Balasubramanian
September 6, 2022
Reading Time: 6 mins read
Email Malware
Share on FacebookShare on Twitter

It may surprise that most burglars gain access to victims’ homes by walking through the front door. This is because every home has one, often left unlocked. For many years, Microsoft Office documents have been our digital front doors. Almost all of us will have used Office docs at some point, be it Word, PowerPoint, or Excel, and every day thousands of emails are exchanged with these documents attached. Most of the time, we don’t even question their source, making them a wide-open door.  

Over 70% of the malicious files in India were delivered via email in the last 30 days, according to Check Point’s Intelligence Report on India, the top malware in India is Emotet, an advanced, self-propagating, modular Trojan that distributes other malware or malicious campaigns. It can be spread via phishing spam emails containing malicious attachments or links. With the growing sophistication of this new malware within emails, such phishing attacks will just escalate.  

The malicious use of Microsoft docs occurs so frequently that they even have their name – maldocs – and one of the main techniques cybercriminals use to create them involves the abuse of Office macros. 

Thankfully, Microsoft has now started the process to block macros by default, but it took a while to get there. 

With its widespread reach, such email infection chains were also highlighted as one of the critical cybersecurity risk predictions in Check Point’s 2022 Cyber Attacks Mid-Year Report. So, what do these email infection chains mean for your business? Is worrying about suspicious attachments a thing of the past? Let’s look at how email infection chains are diversifying in 2022. 

The long-standing problem with macros 

Office macros are special purpose programs that cybercriminals have used to deliver malware via email attachments for years. Security firms have been fighting the practice for years, but it was always clear that the key to preventing macro abuse lay in the hands of Microsoft itself. Indeed, in February this year, Microsoft announced it would change Office default settings to disable macros – only to roll back on that decision in July and then to tell that the process will continue as planned.

ADVERTISEMENT

Although proof of concept (PoC) and active exploits using VBA macros appeared as early as 1995, they lacked info-stealing functionality and were mostly used for pranks. These types of attacks died out in 2010 when Microsoft introduced “protected view” – a yellow ribbon warning users not to enable macros’ functionality. However, the use of macros was re-introduced when threat actors realized that, with a bit of social engineering, they could convince users to enable macros and then use them to download and execute other binary files. 

Although Microsoft acknowledged the issue multiple times, the malicious use of Office macros and vulnerabilities has increased in popularity over the years. By January 2022, our analysis found that as much as 61% percent of all malicious payloads attached to emails sent to our clients were various document types such as xlsx, xlsm, docx, doc, ppt, and others. Check Point ThreatCloud latest figures show that Excel files alone make up 49% of all malicious files received by email.

Typically, a carefully socially engineered email carrying an Excel file with a malicious macro is the weapon of choice for unsophisticated actors and top-notch APT groups.

Cybercriminals getting creative 

After announcing its intention to block VBA macros on Office docs in February, an unexpected twist to the plot came in early July, when Microsoft reversed its decision. Replying to a user complaint, a Microsoft representative admitted that they had rolled back on the decision “based on feedback”. 

Microsoft faced a massive backlash from users and has since resumed the rollout of VBA macro blocking, explaining that the July pullback was only temporary.

Against this backdrop, threat actors have begun exploring alternatives for non-executable malicious email chains, which mostly start with different types of archive file like .ZIP and . RAR. In many cases, those archive files are password protected, with the password written in the body of the email. These archive files mainly include the malicious file, or in some cases, have an additional benign file that leads to the malicious file.

In April, Emotet was reported to be emailing OneDrive URL links of zip files containing malicious xll files. These xll files are .dll libraries designed for Excel, and threat actors typically use an exported xlAutoOpen function to download and run malicious payloads. Various tools and services, such as Excel-DNA, are already available to build .xll downloaders. 

Another type of archive file that became a common alternative to maldocs is the use of ISO archives, which bypass the Mark-of-the-Web security mechanism. Together with a combination of .hta payload, they can look like legitimate documents but run malicious code in the background. For example, bumblebee, a malware loader detected in February, delivers various payloads that often result in ransomware attacks and is reported to involve .iso files delivered via email initially.

In June, we also reported that Snake Keylogger’s malware had returned to our monthly global threat index after a long absence. Previously, the malware had generally been spread via emails that included docx or xlsx attachments with malicious macros; however, its return to the index was a result of it being distributed via PDF files – possibly due in part to Microsoft’s announcement. 

So, although internet macros will now be blocked by default, cybercriminals are continuing to evolve their tactics, becoming more creative with new file types, just as we’ve found with Emotet, Bumblebee, and Snake. Using different archive files is such a success for cybercriminals, as most people do not view those files as potentially malicious and trust the files inside the archives as those do not come directly from the web. Looking ahead, we can only expect more sophisticated malware families to accelerate the development of new infection chains, with different file types that are password protected to avoid detection, as advanced social engineering attacks increase. 

It has never been more important for your employees to understand social engineering risks and how to identify an attack. Cybercriminals will often send a simple email that does not contain any malware but impersonates someone you know just to get into a conversation with you. Then, after gaining your trust, the malicious file will be sent. And remember, it may no longer be an Office document or .exe file but another file type such as a .iso or PDF or infection chains that combine different file types. This user education is one of the most essential parts of an effective cybersecurity strategy, but it may also be wise to have a robust email security solution in place that quarantines and inspects attachments, preventing any malicious file from entering the network in the first place.

As a means of protection, organizations should also consider blocking these macros via a site-wide security policy that combines file sanitization and advanced Sandbox emulation. This is primarily an excellent tool for detecting these download-and-execute macro documents early. Alternatively, another defense mechanism could include examining incoming documents and deleting out the macros before they ever reach the targeted user. These capabilities, including protecting against the majority of file types received in addition to office files, are available in Check Point’s Threat Emulation and Threat Extraction products combined in one key offering, Check Point Sandblast. 

Threat Extraction promptly delivers safe, sanitized content to its intended destination. It ensures productivity, emulating archive files discussed earlier, while SandBlast Threat Emulation sandboxing performs a deep analysis of the file and determines whether it was malicious. The end user can access the original file if it is not classified as malicious. Check Point continues innovating by enabling this critical capability on the gateway. Therefore, files downloaded from the web or sent in the email are extracted and cleaned before they reach the user, creating a safer environment for your emails. 

Sundar Balasubramanian

Sundar Balasubramanian

Managing Director at Check Point India & SAARC. www.checkpoint.com

Related Posts

Infosys SGRE
Business

Infosys partners with Microsoft to boost adoption of generative AI

September 26, 2023
Image Credit: Pixabay
Business

IT spending in MENA region to reach $183.8 billion in 2024: Gartner

September 23, 2023
NVIDIA Infosys
Business

Infosys collaborates with NVIDIA for generative AI solutions

September 20, 2023
banks
Finance

Banks Struggle to Achieve Priorities: Report

September 15, 2023
Google AI
Business

Google launches $20 mn fund to support responsible AI

September 12, 2023
Bengaluru IT
News

Bengaluru has potential to become world no 1 in IT, BT exports: K’taka CM

September 4, 2023
AI IBM
AI

AI will help companies grow faster: IBM CEO

August 25, 2023
VMware AI
Business

VMware announces AI integrations to Anywhere Workspace platform

August 24, 2023
Load More
ADVERTISEMENT

Expert Views

Credentials database theft, reused passwords dangerous entryway
Cyber Security

Can SASE be used as your initial defense against ransomware?

September 12, 2023
Smart Cities challenges and security
Cyber Security

Do our abilities match the ambitions of Smart Cities?

August 23, 2023
Why 5G Network Uptime is Essential for a Digitally Interconnected Society
Opinion

Why 5G Network Uptime is Essential for a Digitally Interconnected Society

July 18, 2023
Responding to cyberbullying with cyber confidence and resilience
Cyber Security

Responding to cyberbullying with cyber confidence and resilience

July 17, 2023
Five Ways All-Flash Data Centers Can Drive Sustainability Goals 
Opinion

Five Ways All-Flash Data Centers Can Drive Sustainability Goals 

July 7, 2023

Latest Updates

Jatin Dalal

Cognizant names Jatin Dalal as its next CFO

by News Desk
4 days ago

Security and Risk Management

Global Security and Risk Management Spending to Reach $215 bn by 2024: Gartner

by News Desk
4 days ago

AMD Alveo UL3524

AMD unveils fintech accelerator card for e-trading at nanosecond speed

by IANS
5 days ago

HMD Global

HMD Global Appoints Tanuj Patro as CFO for India & Asia Pacific

by News Desk
5 days ago

Kuehne+Nagel Capgemini

Kuehne+Nagel and Capgemini join hands to deliver an end-to-end supply chain capability

by News Desk
6 days ago

SAP Joule

SAP India announces new genAI assistant ‘Joule’

by IANS
6 days ago

Get Latest Update

Subscribe to our mailing list to receives newsletter direct to your inbox!

ADVERTISEMENT

Leaders Inerviews

NewgenOne
Leaders Talk

NewgenONE bridges the gap between business users and IT teams with its low code capability: Varun Goswami

-
Interview with Prasanna Arikala, CTO, Kore.ai on AI chatbots
AI

Can AI chatbots enhance customer experience and reduce the cost of serving customers?

-
Rising cyber attacks pose a serious threat to Indian SMBs, says Zakir Hussain
Cyber Security

Rising cyber attacks pose a serious threat to Indian SMBs, says Zakir Hussain

-
Axis Bank's Cloud-driven digital banking solutions
Banking

Axis Bank doubles down on cloud based digital banking solutions

-

Entrepreneur

Samsung Electronics appoints its first female president

Inspiring Women Entrepreneurs in India (2022)

Technology Adoption For Entrepreneurs

Volunteering management is the need of the Hour

We bring business leaders' opinions and unique ideas on what’s happening in the market and its impact. Also, get the daily news, analysis, and insights.

Connect with us

Easy Links

  • Cryptocurrency
  • Event
  • Blockchain
  • Press Release
  • Resources & Downloads

Write Us

contact@cxovoice.com
  • Home
  • About
  • Contact Us
  • Advertise
  • Privacy & Policy
  • Feedback

© 2023 CXO VOICE

No Result
View All Result
  • Home
  • News
  • Leaders Talk
  • Expert Opinion

© 2023 CXO VOICE

Welcome Back!

Login to your account below

Forgotten Password?

Retrieve your password

Please enter your username or email address to reset your password.

Log In

Add New Playlist

Our Spring Sale Has Started

You can see how this popup was set up in our step-by-step guide: https://wppopupmaker.com/guides/auto-opening-announcement-popups/