Sunnyvale, Calif.-based security firm Proofpoint discovered a sharply focused email-based campaign attacking a major financial service provider with a small number of malicious emails sent to users in a single organization.
Additionally, the emails included a Microsoft Word attachment that used an embedded object rather than macros to avoid detection; the embedded object was also highly obfuscated. Also, the payload was an unidentified keylogger hardcoded to send logs from infected computers to two Gmail addresses.
Proofpoint recommends all organizations, including credit unions and other financial institutions, stay aware of this newest attack method.
“While the use of embedded objects instead of macros is not new, malicious macros remain the vector of choice for most threat actors at this time. However, we expect that this technique will become more popular in 2017,” Danny Howerton, threat analyst Proofpoint said in the blog.
Proofpoint in its technical analysis of the attack showed how emails sent in this attack included a Microsoft Word attachment, named “info.doc.” The document contained an image requesting users click install Microsoft Silverlight to view the content. Closer examination revealed no macros in this document, but rather a packager shell object. Right-clicking on the image reveals that it is an embedded object instead of just a linked figure.
A memory dump of the malware process revealed a network request to http[:]//icanhazip[.]com, which allows the malware to identify the public IP address of the infected machine, and the occurrence of "GetAsyncKeyState," a Windows API used frequently by keyloggers to identify keyboard keys pressed by the user. The malware also used Gmail's SMTP server to send these logs to two hardcoded Gmail addresses.
“To date, we have not identified this particular keylogger,” Proofpoint explained. What is known, AutoIt is its script language and it uses additional tools such as the Lazagne password recovery tool it downloads from hxxp://0v3rfl0w[.]com. The infection vectors are of greater interest at this point and the functions of the malware itself are fairly straightforward.
“As threat actors move beyond the use of malicious macros, organizations will need to rethink how they prevent malicious content from reaching end users,” Proofpoint warned.
While many organizations are either blocking Microsoft Office macros at a policy level or educating users about the dangers of enabling macro content, the security firm suggested attackers have other means of creating weaponized documents for distributing malware: in this case, an embedded Visual Basic script in a Microsoft Word document with a keylogger payload.
Complete your profile to continue reading and get FREE access to CUTimes.com, part of your ALM digital membership.
Your access to unlimited CUTimes.com content isn’t changing.
Once you are an ALM digital member, you’ll receive:
- Breaking credit union news and analysis, on-site and via our newsletters and custom alerts
- Weekly Shared Accounts podcast featuring exclusive interviews with industry leaders
- Educational webcasts, white papers, and ebooks from industry thought leaders
- Critical coverage of the commercial real estate and financial advisory markets on our other ALM sites, GlobeSt.com and ThinkAdvisor.com
Already have an account? Sign In Now
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
Roy Urrico
Roy W. Urrico specializes in articles about financial technology and services for Credit Union Times, as well as ghostwriting, copywriting, and case studies. Also: writer/editor of a semi-annual newsletter for Association for Financial Technology since 1997 and history projects funded by the U.S Interior Department, National Park Service and Warren County (N.Y.).
