Cybersecurity company SonicWall has detected fresh attempts by cybercriminals to trick businesses into downloading malicious files by embedding the Golroted malware strain into seemingly harmless Microsoft Office documents.
SonicWall’s CaptureLabs Threats Research Team has identified the malware in Microsoft Word, Microsoft Excel and Rich Text Format (.RTF, which is accessible using most word processing software) files being spread through phishing emails.
These files contain the malware, which is usually stored in encrypted form, hidden within the document. MS Word files, for example, contain an embedded image, while Excel files contain the encrypted data in a cell line above 100, making it difficult for the user to spot. A macro code is then used to decrypt the data and execute the malware, infecting the user’s system.
The exploitation of Microsoft Office applications by cybercriminals is not a new threat, but this is believed to be the first detection of the Golroted malmare being spread in this way.
This particularly nasty malware is a worm, designed to spread between systems by copying itself to removable drives.
Golroted records information on the device, user and anti-virus software installed, and has also been seen to gather password information from a number of applications. The malware is also able to capture screenshots, log keystrokes, download files and visit websites on the compromised system.
The rise of Microsoft Office malware
SonicWall’s Capture Advanced Threat Protection (ATP) platform recorded 392,000 new attack variants last year. Some 50,800 of those attacks exploited trust in Microsoft Office files to dupe targets into downloading malicious payloads. A further 47,000 used PDF files.
While the tactics has been used for some time, cybercriminals are increasing weaponising trusted applications in this way. In 2017, just 13% of attack variants used Office and PDF files, but that more than doubled in 2018 to 34% according to SonicWall’s 2019 Cyber Threat Report.
Cybersecurity company Barracuda Networks has seen a similar increase in detections. A recent analysis of emails sent in the past 12 months revealed that more than 48% contained some kind of document typically used by regular users, such as Word or PDF.
Early data shows that cybercriminals are increasingly turning to this attack variant. Since the start of the year, some 59% of malicious files detected were documents – a further increase of 23% since last year.
According to SonicWall, many of the malware variants being shared through these phishing emails have never been detected before.
The company’s RTDMI machine learning technology, which works alongside the company’s Capture ATP to identify new threats, discovered 74,300 new cyberattacks in 2018, and according to Bill Conner, CEO of SonicWall, these predominantly contained PDF or Office documents.
Document malware targeting the enterprise
In the US, which was subject to some five billion malware attacks last year, some 4.4bn more than any other country, businesses remain the biggest target for cybercriminals. Some 46% of attacks are launched against businesses, compared to 29% in healthcare and 11% in banking.
According to Conner, the rise of document malware shows this desire of cybercriminals to gain access into businesses, which present valuable opportunities to extort money or steal sensitive information.
“What that [the increase in document malware distribution] tells you is they’re really looking for those vehicles to get into the enterprise,” Conner told Verdict. “Your email and those two vehicles, architectural and future-wise, give you a rich way to get in that you can get around sandboxes.”