Cyber-security is a very real and serious problem in current times. Almost everybody is significantly dependant on the web for everything. Be it work, education, or even passing our time, we use the internet for it all. To stay safe while online, we need to learn to identify anything malicious that comes our way.
Phishing emails usually use malicious attachments to distribute malware. Spam campaigns under the guise of invoices, payment information, invites, voicemails, eFaxes, etc. are fairly common. Emails like these will usually include malicious Word or Excel attachments. If opened and macros enabled, these attachments will install malware on the device.
The office usually asks users to click on ‘Enable Macros’ or ‘Enable Content’ before executing macros in a document, something users should refrain from doing. Moreover, malware creators send Word or Excel documents stating that there is a problem displaying content. Users will then be prompted to click on the enable editing or enable content options. Such text and image combinations are referred to as document templates. Let us have a look at a few such document templates used in spam campaigns.
A malware that targets enterprises, BazarLoader was developed by the same group that was responsible for the TrickBot Trojan. If installed, BazarLoader or BazarBackdoor can be used to gain remote access to the user’s computer and then compromise the network. If a network has been infected with this malware, threat actors usually position the Ryuk ransomware to encrypt all devices.
Phishing emails that distribute this malware will usually have links to a Word or Excel file hosted on Google Docs or Sheets. The document in question will usually display an error, asking the user to download the file which will then install the malware.
Spotted first in 2014, Dridex is an advanced banking Trojan. Dridex downloads various modules which can then be used by threat actors to steal passwords, gain remote access to devices, and perform other such malicious activities. On compromising a network, Dridex usually deploys BitPaymer or other ransomware attacks. WastedLocker, another ransomware, is also believed to be connected to Dridex. Dridex uses stylized templates, unlike other attackers. The template will have very small content and will prompt the user to click enable content for better visuals. Another template used by Dridex resembles shipping information. It will display a tough-to-read invoice, prompting the user to click on enable content.
One of the most widely distributed malware, Emotet comes in the form of malicious emails with Word or Excel documents. Emotet steals emails and uses these systems to further spread the malware. Once infected with Emotet, user devices are likely to be further infected with TrickBot and QakBot. These Trojans steal passwords, files, cookies, compromising an organization’s network. If infected with TrickBot, a system might end up getting infected by a ransomware attack. Systems affected by QakBot might get infected by ProLock, another ransomware.
Emotet uses various template boxes with a warning saying that a document cannot be viewed. For example, one such template says that the document cannot be opened as it was created on an iOS device. The user will be prompted to click on enable content to gain access. Another example is a template stating the document was created on Windows 10 Mobile whereas Windows 10 Mobile has been discontinued for a while.
Attachments with extensions like .vbs, .exe, .js, .jar, .bat, etc. should also be avoided or treated with extreme caution. Most email services block such “executable” attachments. To bypass this problem, malware creators usually send such attachments password protected. Therefore, if users receive any such executable files, they should delete them to avoid malware.
We need to exercise caution while on the internet to protect our devices and personal information.