Spammers send billions of messages every single day. It is mostly trite advertising — annoying, but generally harmless. But every once in a while, there is a malicious file attached to one of the messages.
To provoke the recipient into opening a dangerous file, it is usually masked as something interesting, useful, or important: a work document, a great offer, a gift card bearing the logo of a well-known company, and so on.
Malware distributors have their own “pet” formats. In this post we explore this year’s top malware-hiding files.
1. ZIP and RAR archives
Cybercriminals love to conceal malware in archives. For example, ZIP files teasingly titled Love_You0891 (the number varied) were used by attackers to distribute GandCrab ransomware on the eve of St. Valentine’s Day. Other scammers were sighted a couple of weeks later sending archives with the Qbot Trojan, which specializes in stealing data.
This year also saw the discovery of an interesting WinRAR feature. When creating an archive, it turns out, one can set up rules to unpack the contents into the system folder. In particular, contents can go into the Windows startup folder, causing them to start at the next reboot. Therefore, we recommend that WinRAR users update it immediately to fix this.
2. Microsoft Office documents
Microsoft Office files, especially Word documents (DOC, DOCX), Excel spreadsheets (XLS, XLSX, XLSM), presentations, and templates, are also popular with cybercriminals. These files can contain embedded macros — small programs that run inside the file. Cybercriminals use macros as scripts for downloading malware.
Most often, these attachments target office workers. They are disguised as contracts, bills, tax notifications, and urgent messages from senior management. For example, a banking Trojan that goes by the name Ursnif was foisted on Italian users under the guise of a payment notice. If the victim opened the file and agreed to enable macros (disabled by default for security reasons), a Trojan was downloaded onto the computer.
3. PDF files
What’s more, cybercriminals are fond of hiding phishing links in PDF documents. For example, in one spam campaign, fraudsters encouraged users to go to a “secure” page where they were asked to sign into their American Express account. Needless to say, their credentials were immediately forwarded to the scammers.
4. ISO and IMG disk images
In comparison with the previous types of attachments, ISO and IMG files are not used very often. Cybercriminals have been paying increasing attention to them of late, however. Such files — disk images — are basically a virtual copy of a CD, DVD, or other disk.
Attackers used a disk image to deliver to victims’ computers malware such as the Agent Tesla Trojan, which specializes in stealing credentials. Inside the image was a malicious executable file that, when mounted, activated and installed spyware on the device. Curiously, in some cases, the cybercriminals used two attachments (an ISO and a DOC) together, apparently as a fail-safe.
How to handle potentially dangerous attachments
Consigning all messages with an attached archive or DOCX/PDF file to the spam folder would be overkill. Instead, to outfox scammers, remember a few simple rules:
- Do not open suspicious e-mails from unknown addresses. If you don’t know why a particular message with a particular subject line landed in your inbox, most likely you don’t need it.
- If your work involves dealing with correspondence from strangers, carefully check the sender’s address and the name of the attachment. If something seems odd, don’t open it.
- Do not allow macros to run in documents that arrive by e-mail unless you’re certain that you have to.
- Treat all links inside files with caution. If you don’t see why you are being asked to follow a link, just ignore it. If you believe that you do need to follow a link, manually enter the address of the relevant website in your browser.
- Use a reliable security solution that will notify you about dangerous files and block them, and also will issue a warning if you attempt to go to a suspicious site.