The 2015 Global Security Report (gated) estimates that an attacker can realize an average return on investment of 1,425% with a month-long exploit kit or ransomware campaign, with $84,100 in net revenue for every $5,900 invested. Much like Browser Exploit Kits, even the minimal technically qualified can utilize Word exploits by purchasing malware as a service kits.
Critical Start is seeing a large increase in the amount of “commodity” type malware at our clients that is based on immediate monetary gain. Cyber espionage from nation states, competitors, hacktivists, and terrorists is still alive and well. However, how can organizations reduce the amount of noise from these types of attacks?
With the rise of email and the web, executable files – spread mainly through email and files placed on websites – were the most common way to trick users into installing malware on their systems. These types of attacks are easier for IT departments to prevent. Most organizations now block or control the ability to transmit executable content and scripts through email and network gateways, while still permitting file types they considered safe, such as Microsoft Word documents, Excel Spreadsheets, and PDF documents.
Over time documents and Office files have changed. They are no longer simple static files with little potential for harm. Programs like Microsoft Word and Adobe PDF have added macro and scripting capabilities that enable documents to work in much the same way as executable programs, including the ability to run processes and install other bits of code on user systems.
Let’s take a look a simple example of an encrypted Word document that one of our clients received. When this is opened by the user at the Desktop, this is what they see:
Attackers are keen to the fact that Macros are usually disabled by default. Bearing this in mind, the attacker tries to create a sense of urgency by falsely claiming that the file is protected with a RSA key and requires the user to “Enable Content”.
For this attack to be successful, all the user has to do is click “Enable this content”.
Not wanting to alert the user to imminent danger, the attacker has a new document displayed once macros are enabled.
Typically, enterprises would be dependent on signature based detection technology (AV/IPS) to detect this type of activity. However, the efficacy of those tools in preventing encoded or obfuscated attacks is questionable at best. Instead, using ATAP (Advanced Threat Analytics Platform) plus host information from Carbon Black, we can see what actually happened – winword.exe launching a command prompt.
If we then select cmd.exe, Carbon Black would allow us to view the command line parameters. As we can see the bat file 21385.bat was created by winword.exe and then started via the command prompt.
The attacker then uses cscript.exe to run the visual basic script 21385.vbs, which continues the malware execution and infection mechanism. Below we can see the process tree clearly reveals the processes executed and their parent processes.
Malware writers use simple obfuscation techniques to make it difficult for parsing tools (like Yara) to pick out potentially dangerous items like PowerShell script extensions (ps1). See how the vbs script uses variables and concatenation to construct the PowerShell script name 21385.ps1.
Once the obfuscated content is executed (without detection by traditional methods), the PowerShell script pulls down the real malware from http://anacornel.com named united.exe. The script also brings down an image file from http://savepic.su to keep track of the number of infected machines.
In this example, the domain anacornel.com was blocked by another ATA tool (OpenDNS). Even though the initial infection was successful, the callback to secondary domains was blocked. This is a great example of using multiple layers and never relying on just one tool or process to protect the organization.
If the domain was unknown or categorized as benign, and the secondary infection was successful, then application whitelisting (Bit9) or Cylance (next generation anti-virus) would prevent the malware from running. Without these additional tools a reliance on traditional signature based detection technology could leave you completely blind to this type of attack and your enterprise exposed to significant risk.
Some simple measures that would also help to protect your enterprise from this type of threat:
- End user training
- Take away local admin rights
- Patch vulnerable applications as quickly as possible