Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operations

10/25/2019
04:25 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
100%
0%

Microsoft Office Bug Remains Top Malware Delivery Vector

CVE-2017-11882 has been attackers' favorite malware delivery mechanism throughout the second and third quarters of 2019.

The third quarter of 2019 brought the rise of keylogger Agent Tesla, the decline of phishing-delivered ransomware-as-a-service (RaaS), and attackers' continued preference for exploiting the CVE-2017-11882 Microsoft Office vulnerablity to deliver phishing campaigns.

Emotet began to surge toward the end of last quarter, according to Cofense's Q3 2019 Malware Trends Report, the latest report in a series of phishing updates throughout the year. Summer lulls are not uncommon for cybercriminals, says threat intelligence manager Mollie MacDougall, as attackers and targets take more holidays. Emotet's summer break contributed to the quiet.

It wasn't completely silent on the phishing front. Researchers saw a shift from mostly information stealers in the second quarter, to keyloggers, namely Agent Tesla, in the third. The change doesn't necessarily reflect a broader shift to keyloggers; nor does it relate to a specific campaign. The unconfirmed likelihood, MacDougall says, is Agent Tesla was "cracked," enabling unpaid access to the service and increasing its popularity. Paid users of the keylogger can access an easy-to-use Web interface and customer support via Discord, enabling simpler propagation.

"Threat actors presumably saw an opportunity to leverage a cheap solution that does not require much effort for decent profit, namely in the form of credentials or sensitive information," she adds.

Throughout the second and third quarters, researchers saw little change in the significant delivery mechanisms used to spread malware. The most common method, as seen in more than 600 incidents, is Microsoft Office vulnerability CVE-2017-11882, which remains a "prolific technique" for attackers to spread malware through phishing attacks, researchers report.

The memory corruption vulnerability, now patched, had existed for 17 years before a fix was released in Nov. 2017. This remote code execution bug exists in Microsoft Office when the software fails to properly handle objects in memory. It's exploited using Office attachments, which may range from Excel spreadsheet, to Word docs, to RTF files. When a victim clicks a malicious document, the exploit is triggered and usually downloads a "stage two" malware.

Following CVE-2017-11882, the other two most common delivery mechanisms were Office macros and Windows Script Component (WSC) downloaders. Attackers' consistent use of the same delivery mechanisms could change as the holidays approach and Emotet reemerges, driving innovation among cybercriminals who may start using new variants and tactics.

"Around the holidays, phishing emails with malware often demonstrate a change in trend, opting for holiday greeting cards and graphics or sound with underlying nefarious code," says MacDougall. Emotet's operators typically pause around Russian Orthodox Christmas, she points out, and the threat typically experiences a resurgence in activity right before then – activity reserachers began to see ramp up toward the end of the third quarter, MacDougall notes. Researchers anticipate Emotet's operators will increase its volume and sophistication.

Another notable trend third quarter was the drop in RaaS, which has decreased as attackers swap large-scale campaigns for narrowly focused ones. GandCrab was taken offline; Sodinokibi, the ransomware that shares some of its code base, has seen a low rate of dissemination. Targeted attacks let cybercriminals keep a lower profile and benefit from a higher return ratio.

"The decline of RaaS may continue, but we definitely expect more targeted ransomware campaigns to continue and likely increase," says MacDougall, noting it is "key" to differentiate betwteen RaaS and targeted ransomware campaigns going after high-value target. "With the sustained decline in active RaaS families in the last two years, that model seems to have been tabled as unlucrative as compared to other TTPs," she adds of RaaS campaigns.

For more sophisticated attackers, targeted ransomware campaigns are bringing in larger payouts, especially as insurance companies contribute to ransom payments. The combination of insurers' involvement, along with stories of how companies struggled to recover without paying ransom, may lead to a "test-the-water" resurgence in RaaS further down the road.

Looking ahead to the fourth quarter and beyond, MacDougall anticipates attackers will continue to use delivery mechanisms that work best, often abusing software features that are essential to daily business operations along with known vulnerabilities. Emotet is predicted to remain in operation for "as long as possible" with periods of quiet for updates and retooling. Finally, she expect more election-focused campaigns as both nation-states and non-state groups aim to influence the 2020 elections with information operations and cyber espionage.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "Developers: The Cause of and Solution to Security's Biggest Problems."

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
jestinesbolton
50%
50%
jestinesbolton,
User Rank: Apprentice
10/28/2019 | 12:20:31 AM
Thank somuch
Thank you for you
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/25/2020
Navigating the Asia-Pacific Threat Landscape: Experts Dive In
Kelly Sheridan, Staff Editor, Dark Reading,  9/25/2020
Startup Aims to Map and Track All the IT and Security Things
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-26120
PUBLISHED: 2020-09-27
XSS exists in the MobileFrontend extension for MediaWiki before 1.34.4 because section.line is mishandled during regex section line replacement from PageGateway. Using crafted HTML, an attacker can elicit an XSS attack via jQuery's parseHTML method, which can cause image callbacks to fire even witho...
CVE-2020-26121
PUBLISHED: 2020-09-27
An issue was discovered in the FileImporter extension for MediaWiki before 1.34.4. An attacker can import a file even when the target page is protected against "page creation" and the attacker should not be able to create it. This occurs because of a mishandled distinction between an uploa...
CVE-2020-25812
PUBLISHED: 2020-09-27
An issue was discovered in MediaWiki 1.34.x before 1.34.4. On Special:Contributions, the NS filter uses unescaped messages as keys in the option key for an HTMLForm specifier. This is vulnerable to a mild XSS if one of those messages is changed to include raw HTML.
CVE-2020-25813
PUBLISHED: 2020-09-27
In MediaWiki before 1.31.10 and 1.32.x through 1.34.x before 1.34.4, Special:UserRights exposes the existence of hidden users.
CVE-2020-25814
PUBLISHED: 2020-09-27
In MediaWiki before 1.31.10 and 1.32.x through 1.34.x before 1.34.4, XSS related to jQuery can occur. The attacker creates a message with [javascript:payload xss] and turns it into a jQuery object with mw.message().parse(). The expected result is that the jQuery object does not contain an <a> ...