Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operations

10/25/2019
04:25 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
100%
0%

Microsoft Office Bug Remains Top Malware Delivery Vector

CVE-2017-11882 has been attackers' favorite malware delivery mechanism throughout the second and third quarters of 2019.

The third quarter of 2019 brought the rise of keylogger Agent Tesla, the decline of phishing-delivered ransomware-as-a-service (RaaS), and attackers' continued preference for exploiting the CVE-2017-11882 Microsoft Office vulnerablity to deliver phishing campaigns.

Emotet began to surge toward the end of last quarter, according to Cofense's Q3 2019 Malware Trends Report, the latest report in a series of phishing updates throughout the year. Summer lulls are not uncommon for cybercriminals, says threat intelligence manager Mollie MacDougall, as attackers and targets take more holidays. Emotet's summer break contributed to the quiet.

It wasn't completely silent on the phishing front. Researchers saw a shift from mostly information stealers in the second quarter, to keyloggers, namely Agent Tesla, in the third. The change doesn't necessarily reflect a broader shift to keyloggers; nor does it relate to a specific campaign. The unconfirmed likelihood, MacDougall says, is Agent Tesla was "cracked," enabling unpaid access to the service and increasing its popularity. Paid users of the keylogger can access an easy-to-use Web interface and customer support via Discord, enabling simpler propagation.

"Threat actors presumably saw an opportunity to leverage a cheap solution that does not require much effort for decent profit, namely in the form of credentials or sensitive information," she adds.

Throughout the second and third quarters, researchers saw little change in the significant delivery mechanisms used to spread malware. The most common method, as seen in more than 600 incidents, is Microsoft Office vulnerability CVE-2017-11882, which remains a "prolific technique" for attackers to spread malware through phishing attacks, researchers report.

The memory corruption vulnerability, now patched, had existed for 17 years before a fix was released in Nov. 2017. This remote code execution bug exists in Microsoft Office when the software fails to properly handle objects in memory. It's exploited using Office attachments, which may range from Excel spreadsheet, to Word docs, to RTF files. When a victim clicks a malicious document, the exploit is triggered and usually downloads a "stage two" malware.

Following CVE-2017-11882, the other two most common delivery mechanisms were Office macros and Windows Script Component (WSC) downloaders. Attackers' consistent use of the same delivery mechanisms could change as the holidays approach and Emotet reemerges, driving innovation among cybercriminals who may start using new variants and tactics.

"Around the holidays, phishing emails with malware often demonstrate a change in trend, opting for holiday greeting cards and graphics or sound with underlying nefarious code," says MacDougall. Emotet's operators typically pause around Russian Orthodox Christmas, she points out, and the threat typically experiences a resurgence in activity right before then – activity reserachers began to see ramp up toward the end of the third quarter, MacDougall notes. Researchers anticipate Emotet's operators will increase its volume and sophistication.

Another notable trend third quarter was the drop in RaaS, which has decreased as attackers swap large-scale campaigns for narrowly focused ones. GandCrab was taken offline; Sodinokibi, the ransomware that shares some of its code base, has seen a low rate of dissemination. Targeted attacks let cybercriminals keep a lower profile and benefit from a higher return ratio.

"The decline of RaaS may continue, but we definitely expect more targeted ransomware campaigns to continue and likely increase," says MacDougall, noting it is "key" to differentiate betwteen RaaS and targeted ransomware campaigns going after high-value target. "With the sustained decline in active RaaS families in the last two years, that model seems to have been tabled as unlucrative as compared to other TTPs," she adds of RaaS campaigns.

For more sophisticated attackers, targeted ransomware campaigns are bringing in larger payouts, especially as insurance companies contribute to ransom payments. The combination of insurers' involvement, along with stories of how companies struggled to recover without paying ransom, may lead to a "test-the-water" resurgence in RaaS further down the road.

Looking ahead to the fourth quarter and beyond, MacDougall anticipates attackers will continue to use delivery mechanisms that work best, often abusing software features that are essential to daily business operations along with known vulnerabilities. Emotet is predicted to remain in operation for "as long as possible" with periods of quiet for updates and retooling. Finally, she expect more election-focused campaigns as both nation-states and non-state groups aim to influence the 2020 elections with information operations and cyber espionage.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "Developers: The Cause of and Solution to Security's Biggest Problems."

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
jestinesbolton
50%
50%
jestinesbolton,
User Rank: Apprentice
10/28/2019 | 12:20:31 AM
Thank somuch
Thank you for you
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/10/2020
Researcher Finds New Office Macro Attacks for MacOS
Curtis Franklin Jr., Senior Editor at Dark Reading,  8/7/2020
Exploiting Google Cloud Platform With Ease
Dark Reading Staff 8/6/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-8720
PUBLISHED: 2020-08-13
Buffer overflow in a subsystem for some Intel(R) Server Boards, Server Systems and Compute Modules before version 1.59 may allow a privileged user to potentially enable denial of service via local access.
CVE-2020-12300
PUBLISHED: 2020-08-13
Uninitialized pointer in BIOS firmware for Intel(R) Server Board Families S2600CW, S2600KP, S2600TP, and S2600WT may allow a privileged user to potentially enable escalation of privilege via local access.
CVE-2020-12301
PUBLISHED: 2020-08-13
Improper initialization in BIOS firmware for Intel(R) Server Board Families S2600ST, S2600BP and S2600WF may allow a privileged user to potentially enable escalation of privilege via local access.
CVE-2020-7307
PUBLISHED: 2020-08-13
Unprotected Storage of Credentials vulnerability in McAfee Data Loss Prevention (DLP) for Mac prior to 11.5.2 allows local users to gain access to the RiskDB username and password via unprotected log files containing plain text credentials.
CVE-2020-8679
PUBLISHED: 2020-08-13
Out-of-bounds write in Kernel Mode Driver for some Intel(R) Graphics Drivers before version 26.20.100.7755 may allow an authenticated user to potentially enable denial of service via local access.