Malware-loaded documents making a comeback

·4 min read

While cybercriminals are constantly looking for new ways to compromise IT systems, sometimes the old ways work just fine. Two cybersecurity vendors recently noted malware getting spread through a tried-and-true method: Microsoft Word documents.

In one case, cybercriminals were using interest in Microsoft's new operating system, Windows 11, to lure victims into downloading a malware-laden Word document, according to research from Anomali Threat Research. The Windows 11-themed documents, distributed in June and July, contained a JavaScript backdoor used to compromise the victim's PC.

The JavaScript backdoor trick is a standard attack method for FIN7, an Eastern European cybercrime group active for about six years, Anomali said. The group, credited with the theft of more than 15 million payment card records, has targeted more than 100 companies in the United States, the company said.

It's likely the infected Word documents were distributed through email phishing or spear-phishing campaigns, Anomali said.

The JavaScript backdoor scanned infected PCs for Eastern European languages, including Russian, Ukrainian, and Serbian, and stopped running if those languages were detected, suggesting the attack came from the region. "It is accepted as an almost unofficial policy that cybercriminals based in [Eastern Europe] are generally left alone, provided they do not target interests or individuals within their respective borders," Anomali researchers wrote.

Meanwhile, cybersecurity vendor Netskope Threat Lab observed that 43% of all recent malware downloads were malicious office documents, including Microsoft Office, Google Docs, and PDFs. The Netskope Threat Lab Cloud and Threat Report from July found the percentage, from the second quarter of this year, was up from 34% in the first quarter and from 14% in the second quarter of 2020.

"Even though infecting office documents with malware has been established for a long time, it is still very successful at tricking people," Atlas VPN's blog commented. "After creating a malicious macro on office documents, threat actors send the infected file to thousands of people via email and wait for possible victims."

Other cybersecurity experts echoed Atlas VPN's perspective. The attacks coming through office documents still work because a significant percentage of email users will still open suspicious attachments, mainly if there's a targeted, social engineering pitch included, some said.

In addition to targeted emails, social media applications can target victims and distribute malware, said former CIA senior intelligence officer Peter Warmka.

"This is an old trick with new packaging," he told the Washington Examiner. "Today's professional human hackers have gravitated from using spam email to unique spear-phishing attacks delivered through social media."

In addition, many documents are now hosted in the cloud, with links in email and other delivery methods instead of attachments, noted Ron Gula, president of Gula Tech Adventures, a cybersecurity investment firm.

"All office document types have become more complex, and we now send them around with URLs for where they are hosted instead of the actual documents," he told the Washington Examiner. "This complexity makes it much harder to test them with antivirus or sandbox tools."

When a criminal organization targets an organization, it needs only one employee to be tricked into clicking on a link or downloading an attachment, he added. "The attack only has to work for one person in an organization, and the attack vector can be business email, personal email, Slack, Signal, Apple messaging, Facebook messaging, and many others," he said. "If a target gets an email they are expecting, they are more likely to click on it."

While malware-infected documents aren't new, many computer users ignore cybersecurity issues, added Alex Bodryk, CEO of Cyberlands, a penetration testing service. "People still tend to ignore anything that is not relevant to their core business activities, especially if they don't get punished for violations," he told the Washington Examiner.

In addition, most business users are flooded with emails. "By my subjective opinion, the average office worker receives at least 50 emails per day," he added. As a result, office workers don't have time to inspect each email "carefully" for potential problems.

Employee training remains a meaningful way to battle against these types of attacks, cybersecurity professionals said. Organizations should also keep their systems and office software patched and invest in network and endpoint monitoring and attack prevention technologies, Gula recommended.

Washington Examiner Videos

Tags: Technology, Cybersecurity, Malware, Business, Computer Hacking, Microsoft

Original Author: Grant Gross

Original Location: Malware-loaded documents making a comeback