Attackers are constantly crafting new ways to evade enterprise cybersecurity defenses. Consider both how phishing attacks and the delivery of malware are evolving. In this case, through password-protected files to infect endpoints. It’s a growing risk for all organizations.
There was a time when nearly all phishing attacks, whether crafted to cull credentials from an unsuspecting target or to distribute a malware payload, were delivered via email. No more. Today, because email has lost its dominion as the singular communication channel it once was, threat actors are increasingly targeting other communication channels, such as text, social media direct messaging, and collaboration tools. Attackers are not only turning to different social media communication channels and improving their social engineering tactics. They are also using an old and very effective evasion technique: password-protected files with malicious payloads.
Their goal is to evade the protections enterprises' have put into place to defend their email: anti-virus, content filters, and signature-based security tools. Attackers simply find new delivery vectors by sending phishing attacks via communication channels different from email and cleverly hide the malicious payload through encryption.
What are malicious password-protected files?
Attackers use password-protected files, typically delivered through a phishing email, to obfuscate payloads within widely used and legitimate file formats. By encrypting their payloads within these files, the attackers make it much more difficult for traditional anti-malware engines and content filters to identify and stop this malicious content. Despite the risk of malware-infected password-protected files, most organizations have decided not to block them at the email gateway because it can dramatically hurt productivity.
The password-protected files attackers use most often to deliver their malicious payloads include Microsoft Word and Excel (which is more common now since Microsoft disabled macros in Word documents), PDF files, and ZIP files.
Let’s examine how these attacks work.
How seemingly innocuous password-protected files sent through email work to evade security defenses and infect endpoints:
Because password-protected files are encrypted, they can’t be accessed without the password, making them unreadable by most security tools, which cannot open and examine them. Consider how this negatively impacts the defenses in place at the typical organization: A threat actor sends a password-protected file through social media messaging or email. To add credibility to the social-engineering aspect of the attack, the attacker uses file names that will entice the target, such as an invoice or financial information. The attacker also sometimes texts or emails the password to the protected file in a separate communication, trying to add further legitimacy.
The password-protected file containing malware then manages to:
Evade network or gateway security defenses
Because the file is encrypted with a commonly used file extension, the organization allows the file to pass through the email gateway and through any security sandboxes or automated analysis tools (which don’t have the password) onto the user. When/if this file encounters a network security scanning engine, it’s again (because of business productivity concerns) allowed on through to the end user.
Evade endpoint detections
The phishing email and attachment finally reach the endpoint. Whether pretending to be a trusted vendor or perhaps someone from another department in the organization, the attacker manages to trick a certain percentage of users into clicking on the attachment and entering the password provided. The user clicks on the document, or embedded link, which launches the web browser, and the endpoint is now infected.
As mentioned above, attackers could skip email altogether and leverage social media channels to deliver phishing attacks. Here, attackers will send a social media message with a link that launches the web browser and goes to an external storage service such as Box, Dropbox, or Google Drive. In this scenario, the malicious password-protected file is automatically downloaded to the endpoint. The user clicks on the file and enters the password. The attack is identical to the above, except there’s no email necessary. The entire attack occurs within an app and the web browser, or just the web browser.
There are many examples of password-protected files being used in attacks. Here are a few:
- The North Korean Lazarus group is an example of attackers leveraging these techniques. While pursuing Russian organizations, the group delivered malicious Office documents tucked within ZIP files. Targeted individuals would click on the ZIP file, and users would open what appeared to be a legitimate Word document. That document launches macros that begin infecting the targeted computer. According to the US-CERT, the Trojan then accesses device configuration data, downloads files, can execute commands, modify the system register, screen captures what’s being displayed on the monitor, and otherwise exfiltrate data.
- Chinese nation-state threat actor Earth Preta recently began its attack campaign with a spear-phishing email with malicious links. The links accessed a cloud storage provider with a password-protected malicious file. Once clicked, the malware is downloaded from the web browser onto the endpoint. Once complete, the malware provided the attackers with backdoor access, command and control, and data exfiltration capabilities.
- The Qbot botnet has also pushed malware payloads via phishing emails with password-protected ZIP files. These files on targeted devices contain malicious MSI Windows Installer packages or MS Office docs with malicious macros.
Why this technique remains popular among threat actors
According to HP Wolf, 42% of all malware is now delivered as archive files, such as ZIP and RAR. “Archives are attractive to threat actors because they are easily encrypted, making them difficult for web proxies, sandboxes, and email scanners to detect malware," HP Wolf’s Q3 2022 Quarterly Insights Report said.
Cyber attacks that leverage password-protected malicious files are classified as Highly Evasive Adaptive Threats (HEAT). As we’ve covered previously, HEAT attacks arose during the increase in remote work and the hybrid workforce, cloud migration, and the accelerated adoption of software-as-a-service (SaaS) applications. HEAT attacks, such as malicious password-protected files, utilize techniques that successfully avoid detection-based security tools today, such as malicious password-protected files.
Further, HEAT attacks target knowledge workers' go-to productivity software: the web browser. Password-protected malicious files enable threat actors to successfully deliver and execute exploitative payloads because they can avoid the most commonly deployed security defenses.
How to prevent attacks leveraging malicious password-protected files
Organizations that successfully stop HEAT attacks, such as those attacks that hide malicious payloads within password-protected files, will be those that leverage preventative security technology that provides visibility into web browser activity and applies dynamic policy enforcement to prevent zero-hour attacks.
That’s the only way to identify and prevent such HEAT attacks in real time. Because defending against the previous generation of attacks that are known and recognized by current signature-based technologies–such as those that solely targeted email– is not sufficient when it comes to these evasive threats.
