Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operations

10/25/2019
04:25 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
100%
0%

Microsoft Office Bug Remains Top Malware Delivery Vector

CVE-2017-11882 has been attackers' favorite malware delivery mechanism throughout the second and third quarters of 2019.

The third quarter of 2019 brought the rise of keylogger Agent Tesla, the decline of phishing-delivered ransomware-as-a-service (RaaS), and attackers' continued preference for exploiting the CVE-2017-11882 Microsoft Office vulnerablity to deliver phishing campaigns.

Emotet began to surge toward the end of last quarter, according to Cofense's Q3 2019 Malware Trends Report, the latest report in a series of phishing updates throughout the year. Summer lulls are not uncommon for cybercriminals, says threat intelligence manager Mollie MacDougall, as attackers and targets take more holidays. Emotet's summer break contributed to the quiet.

It wasn't completely silent on the phishing front. Researchers saw a shift from mostly information stealers in the second quarter, to keyloggers, namely Agent Tesla, in the third. The change doesn't necessarily reflect a broader shift to keyloggers; nor does it relate to a specific campaign. The unconfirmed likelihood, MacDougall says, is Agent Tesla was "cracked," enabling unpaid access to the service and increasing its popularity. Paid users of the keylogger can access an easy-to-use Web interface and customer support via Discord, enabling simpler propagation.

"Threat actors presumably saw an opportunity to leverage a cheap solution that does not require much effort for decent profit, namely in the form of credentials or sensitive information," she adds.

Throughout the second and third quarters, researchers saw little change in the significant delivery mechanisms used to spread malware. The most common method, as seen in more than 600 incidents, is Microsoft Office vulnerability CVE-2017-11882, which remains a "prolific technique" for attackers to spread malware through phishing attacks, researchers report.

The memory corruption vulnerability, now patched, had existed for 17 years before a fix was released in Nov. 2017. This remote code execution bug exists in Microsoft Office when the software fails to properly handle objects in memory. It's exploited using Office attachments, which may range from Excel spreadsheet, to Word docs, to RTF files. When a victim clicks a malicious document, the exploit is triggered and usually downloads a "stage two" malware.

Following CVE-2017-11882, the other two most common delivery mechanisms were Office macros and Windows Script Component (WSC) downloaders. Attackers' consistent use of the same delivery mechanisms could change as the holidays approach and Emotet reemerges, driving innovation among cybercriminals who may start using new variants and tactics.

"Around the holidays, phishing emails with malware often demonstrate a change in trend, opting for holiday greeting cards and graphics or sound with underlying nefarious code," says MacDougall. Emotet's operators typically pause around Russian Orthodox Christmas, she points out, and the threat typically experiences a resurgence in activity right before then – activity reserachers began to see ramp up toward the end of the third quarter, MacDougall notes. Researchers anticipate Emotet's operators will increase its volume and sophistication.

Another notable trend third quarter was the drop in RaaS, which has decreased as attackers swap large-scale campaigns for narrowly focused ones. GandCrab was taken offline; Sodinokibi, the ransomware that shares some of its code base, has seen a low rate of dissemination. Targeted attacks let cybercriminals keep a lower profile and benefit from a higher return ratio.

"The decline of RaaS may continue, but we definitely expect more targeted ransomware campaigns to continue and likely increase," says MacDougall, noting it is "key" to differentiate betwteen RaaS and targeted ransomware campaigns going after high-value target. "With the sustained decline in active RaaS families in the last two years, that model seems to have been tabled as unlucrative as compared to other TTPs," she adds of RaaS campaigns.

For more sophisticated attackers, targeted ransomware campaigns are bringing in larger payouts, especially as insurance companies contribute to ransom payments. The combination of insurers' involvement, along with stories of how companies struggled to recover without paying ransom, may lead to a "test-the-water" resurgence in RaaS further down the road.

Looking ahead to the fourth quarter and beyond, MacDougall anticipates attackers will continue to use delivery mechanisms that work best, often abusing software features that are essential to daily business operations along with known vulnerabilities. Emotet is predicted to remain in operation for "as long as possible" with periods of quiet for updates and retooling. Finally, she expect more election-focused campaigns as both nation-states and non-state groups aim to influence the 2020 elections with information operations and cyber espionage.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "Developers: The Cause of and Solution to Security's Biggest Problems."

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
jestinesbolton
50%
50%
jestinesbolton,
User Rank: Apprentice
10/28/2019 | 12:20:31 AM
Thank somuch
Thank you for you
Black Hat Q&A: Hacking a '90s Sports Car
Black Hat Staff, ,  11/7/2019
The Cold Truth about Cyber Insurance
Chris Kennedy, CISO & VP Customer Success, AttackIQ,  11/7/2019
6 Small-Business Password Managers
Curtis Franklin Jr., Senior Editor at Dark Reading,  11/8/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-15815
PUBLISHED: 2019-11-12
ZyXEL P-1302-T10D v3 devices with firmware version 2.00(ABBX.3) and earlier do not properly enforce access control and could allow an unauthorized user to access certain pages that require admin privileges.
CVE-2019-17360
PUBLISHED: 2019-11-12
A vulnerability in Hitachi Command Suite 7.x and 8.x before 8.7.0-00 allows an unauthenticated remote user to trigger a denial of service (DoS) condition because of Uncontrolled Resource Consumption.
CVE-2018-21026
PUBLISHED: 2019-11-12
A vulnerability in Hitachi Command Suite 7.x and 8.x before 8.6.5-00 allows an unauthenticated remote user to read internal information.
CVE-2012-1572
PUBLISHED: 2019-11-12
OpenStack Keystone: extremely long passwords can crash Keystone by exhausting stack space
CVE-2019-17234
PUBLISHED: 2019-11-12
includes/class-coming-soon-creator.php in the igniteup plugin through 3.4 for WordPress allows unauthenticated arbitrary file deletion.