Imagine this: You’re working away on a Tuesday morning when you get an email reply from a potential client. You have been negotiating a services engagement with them for the past few weeks. The e-mail has a Word document attached. You think nothing of it, because you sent them a proposal last week. You open the doc to be greeted by a message like this:
That’s weird, right? But it’s a trusted contact who you have already been exchanging documents with. You go ahead and click the “Enable Content” button, and congratulations – you have just been owned.
This is exactly what happened to one of us at VDA Labs recently (minus the owned part – instead we flipped into malware analysis mode when we say the macros). The more infosec savvy among us will know that enabling macros in an Office document, especially one that is unexpected, is always a bad idea. Luckily this is where we caught ourselves and switched into incident response mode. More on that later, first let’s break down the delivery method because it highlights some sophisticated tactics that have been on the rise recently:
1. The malware attack inserted itself into an ongoing conversation rather than sending a new message
This tactic increases the odds that the attack will succeed by co-opting the trust relationship that already exists between you and the sender. When we teach user awareness training, which includes a section on identifying malicious email, the first step is to “Verify the Sender”. This particular malware spreads like a worm. Once it has owned your system, it will find active e-mail threads and inject itself into them. That means, because we were already in recent communication with the sender, we are not surprised to see a message from them, on the same thread no less, and are therefore more likely to click.
2. The malware was delivered as a “Macro Enabled” Word Document
Over time it has become more difficult to exploit computers. We are, slowly but surely, becoming more secure. In the past, attacks like drive-by-download (direct downloading of executable malware) and watering holes (browser based exploitation) were much more common. Recently, however, browsers and operating system security has gotten better. This has pushed malware crews towards using Office macros and social engineering for exploitation.
3. The document itself uses social engineering to encourage you to execute the malicious code
In the screenshot above, the bit about the “earlier version of Microsoft Office Word” is a lie. It sounds convincing because who hasn’t seen a compatibility issue before? It is, however, just a tactic to get you to click the “enable content” button. Similar tricks like this are being used by phishers across the spectrum. Some specific examples are below:
Phishing crews are upping their game – but what can we do?
The rise of these tactics show that the bad guys are getting smarter and faster – you need to make sure the same is true of your organization. Here are some points of advice for taking your game to the next level when defending against sophisticated threats:
- Get user awareness training that goes beyond the basics. Identifying malicious emails is hard, so your people need better training. Does the average person in your team know that they should not enable macros, even from a trusted contact? If they don’t you are very exposed.
- Add technical controls. More likely than not, most users in your organization don’t need to be using macros – so perhaps macros should be disabled across the board. If macros are needed, there are technical solutions to help there as well. More info on this will be in the later posts in this series.
- Adopt a no-guilt, “see something, say something” culture within your organization. Users should feel free to reach out to technical staff if there is something they don’t understand or think might be malicious. This should also be true AFTER a user has fallen for the attack. They need to know they can trust your team in order for remediation to happen as fast as possible.
In the next part of this series, we will take a look at one practical malware analysis technique as we dig deeper on this specific attack.