Top 4 dangerous file attachments

[harlan4096]

Spammers send billions of messages every single day. It is mostly trite advertising — annoying, but generally harmless. But every once in a while, there is a malicious file attached to one of the messages.

To provoke the recipient into opening a dangerous file, it is usually masked as something interesting, useful, or important: a work document, a great offer, a gift card bearing the logo of a well-known company, and so on.

Malware distributors have their own “pet” formats. In this post we explore this year’s top malware-hiding files.

1. ZIP and RAR archives

Cybercriminals love to conceal malware in archives. For example, ZIP files teasingly titled Love_You0891 (the number varied) were used by attackers to distribute GandCrab ransomware on the eve of St. Valentine’s Day. Other scammers were sighted a couple of weeks later sending archives with the Qbot Trojan, which specializes in stealing data.

This year also saw the discovery of an interesting WinRAR feature. When creating an archive, it turns out, one can set up rules to unpack the contents into the system folder. In particular, contents can go into the Windows startup folder, causing them to start at the next reboot. Therefore, we recommend that WinRAR users update it immediately to fix this.

2. Microsoft Office documents

Microsoft Office files, especially Word documents (DOC, DOCX), Excel spreadsheets (XLS, XLSX, XLSM), presentations, and templates, are also popular with cybercriminals. These files can contain embedded macros — small programs that run inside the file. Cybercriminals use macros as scripts for downloading malware.

Most often, these attachments target office workers. They are disguised as contracts, bills, tax notifications, and urgent messages from senior management. For example, a banking Trojan that goes by the name Ursnif was foisted on Italian users under the guise of a payment notice. If the victim opened the file and agreed to enable macros (disabled by default for security reasons), a Trojan was downloaded onto the computer.

3. PDF files

Many people know about the dangers of macros in Microsoft Office documents, but they are often less aware of booby traps in PDF files. Nevertheless, PDFs can conceal malware. The format can be used to create and run JavaScript files.

What’s more, cybercriminals are fond of hiding phishing links in PDF documents. For example, in one spam campaign, fraudsters encouraged users to go to a “secure” page where they were asked to sign into their American Express account. Needless to say, their credentials were immediately forwarded to the scammers.

4. ISO and IMG disk images

In comparison with the previous types of attachments, ISO and IMG files are not used very often. Cybercriminals have been paying increasing attention to them of late, however. Such files — disk images — are basically a virtual copy of a CD, DVD, or other disk.

Attackers used a disk image to deliver to victims’ computers malware such as the Agent Tesla Trojan, which specializes in stealing credentials. Inside the image was a malicious executable file that, when mounted, activated and installed spyware on the device. Curiously, in some cases, the cybercriminals used two attachments (an ISO and a DOC) together, apparently as a fail-safe.

Continue Reading

[Deep900]

It is obviously very important to check every email we receive and even more important, never download email attachments, unless they are emails from people we really trust. A lot of threats are spread in this way nowadays.