Quote: To be secure online, everyone needs to identify the fake email attachments that are often used to spread malware.
To be secure online, everyone needs to identify phishing email attachments that are often used to spread malware.
As the malware spreads, attackers disguise spam as invoices, invitations, payment messages, traffic messages, emails, voicemails, and more.
After macros were turned on or enabled, the emails contained malicious Word and Excel attachments or links that would install malicious software on the computer.
But Office requires you to click the “Enable editing” or “Enable Content” button before executing a macro in Word or Excel, and that never works.
Do not click “Open Content” on the attachment you receive
To entice users to click these buttons, malware spreaders create Word and Excel documents containing text and pictures, in which the document points out the problem with displaying the document and then prompts the recipient to click “Enable content” or “Enable editing” to view the content properly.
The combination of text and images in these two malicious attachments is called a “document template.” Here are different document templates used in spam campaigns to counter wider malware infections, and it’s worth noting that they can also be used with different malware. Also, this is a more commonly used template, but there are many others.
Bazar Loader
Bazarodel is a piece of corporate-targeting malware developed by the same group behind the TrickBot Trojan. After the installation is complete, the attacker can use BazarLoader/BazarBackdoor remote access to your computer, and use it to attack the other part of your network.
Once a network is infected by BazarLoader, attackers typically use Ryuk ransomware to encrypt all devices on the network.
The phishing messages BazarBackdoor spreads via phishing messages often contain Google documents and links to Word or Excel documents in Google Forms.
But these Google docs masquerade as questions and prompt you to download them. This download is actually an executable used to install BazarLoader, as shown below.
Bazar Lodell: Fake Google Docs hosting attachment
Dridex
Dridex is an advanced modular banking Trojan that was first discovered in 2014 and is constantly being updated.
Dridex downloads different modules that can be used to steal passwords, provide remote access to computers, or perform other malicious activities.
As Dridex enters the network, it usually leads to the deployment of BitPaymer or Dridex ransomware attacks.
Another scam called WastedLocker is also linked to Dridex, but a security company disagrees. Unlike other malware dissemination campaigns, Dridexgang tends to use formatted document templates to display small or obscure content and prompt you to click to make the content clearly visible.
For example, the template below states that the document was created with an earlier version of Microsoft Office Word and that the document shown below is difficult to read.
Dridex: Created in an earlier version of Word
Dridex also uses more stylized document templates that masquerade as DHL and UPS transport messages.
Dridex: forged DHL sending information
Eventually, Dridex displays some hard-to-read payment invoices, prompting you to click “Enable Editing” to view them properly.
Dridex: Fake Intuit invoices
As the above example shows, Dridex likes to use embedded images and company logos and titles to entice users to enable macros.
Emotet
Emotet is the most widespread form of malware that contains malicious Word or Excel documents. Once infected, Emotet steals a victim’s email and sends more spam to recipients around the world from an infected computer.
Users infected by Emotet will eventually be infected with Trojans such as TrickBot and QakBot. These trojans were used to steal passwords, cookies and files, and caused the organization to be compromised across the network.
Finally, if TrickBot is infected, the network could be affected by Ryuk or Conti ransomware. For users affected by QakBot, the ProLock extortion software can be attacked.
Unlike Dridex, Emotet’s document template does not have an image of the actual document. Instead, they use a variety of templates that display warning boxes telling you that you cannot view the document properly and that the user needs to click EnableContent to read the document.
For example, the “RedDawn” template shown below declares “This document is protected” and prompts you to enable content reading.
Dridex: Protect this document template
The following template pretends not to open properly because it was created on an iOS device.
Electronic: Created on iOS devices
Others say the file was created on A Windows 10 mobile device, which is odd, since Windows 10 mobile devices have been discontinued for a long time.
Electronic: Created on Windows 10 phones
The next template load document is in the “Protected View” and the user needs to click on” Enable Editing” to see it correctly.
Electronic: Protected view
The next template is more interesting because it tells the user to accept Microsoft’s license agreement before viewing the documentation.
Electronic: Accept license agreement
Other interesting templates masquerade as a Microsoft Office activation wizard, which prompts the user to “Enable editing” to complete the Office activation.
Electronic: Office Activation Wizard
Finally, Emotet uses a document template that masquerades as a Microsoft Office transformation wizard.
Simple set: Transformation wizard
Instead of using a formatted document template, Emotet uses generic warnings to convince users to enable attached macros.
QakBot
A “QakBot” or “QBot” is a Trojan that spreads through phishing campaigns, often sending malicious Microsoft Word documents to businesses.
“QakBot” is a modular Trojan capable of stealing bank information, installing other malware, or providing remote access to infected devices.
Like the other trojans mentioned in this article, QakBot was involved in the ransomware known as ProLock, which is usually the final payload of this attack.
QakBot activities tend to use more stylistic document templates than Emotet. The most common template masquerade used by QakBot spam activities is from DocuSign, as shown below.
Tag: DocuSign template
Other templates include those masquerading as Microsoft Defender or Word for updating and activating screens, as shown below.
QakBot: Word upgrade and enable vulnerability
All executable attachments
Finally, do not open attachments that end with.vbs,.js,.exe,.ps1,.jar,.bat,.com, or.scr extensions, as all of these extensions can be used to execute commands on your computer.
Because most of the electronic mail services (including Office and Gmail) can prevent “executable” attachments, malicious software communicators send these attachments to a password-protected files, and contains the password in the email, this technology can make the executable attachments to bypass the E-mail security gateway, to the recipient.
The JAR attachment
Unfortunately, Microsoft has decided to hide file extensions by default, which allows attackers to trick users into running insecure files. So BleepingComputer strongly recommends that all Windows users allow file extensions to be displayed.
If you receive an E-mail containing an executable file type, it is almost certainly malicious and you should delete it immediately.
Click here for more information, free open source projects and courses.