Can Organizations Combat Malicious Password-Protected File Attacks?

/in


Password-protected files are an intelligent way in which attackers are working to evade enterprise security defenses and infect endpoints. 

Not long ago, phishing attacks were nearly always delivered via email. However, today’s threat actors are increasingly targeting other channels – be it SMS, social media direct messaging and even collaboration tools – to evade common anti-malware engines, content filters and signature-based detection tools.

Across these varied platforms, password-protected files remain a common attack vector. Here, malicious payloads are hidden within seemingly benign, safe, and accepted file formats. Because the files are encrypted, security tools can’t read and analyze them. When this is done using commonly used file extensions, organizations often allow malicious files to pass through security sandboxes or automated analysis tools.

As a result, password-protected files containing malware are all too often able to evade network or gateway security defenses and endpoint detection solutions, reaching the threat actor’s target destination. Once this has been achieved, individuals are exposed to increasingly sophisticated and convincing social engineering and spear phishing tactics used by attackers to trick their targets into clicking on attachments and entering the required password, leading to infection of the endpoint. 

To reiterate, this no longer happens exclusively over email. Indeed, threat actors are increasingly directing potential victims to web browsers and external storage applications, such as Dropbox and Google Drive, to the same effect. 

Three Malicious Password-Protect File Attacks

Password-protected files have resulted in widespread breaches and made headlines recently – one example stemming from the North Korean Lazarus group.

Here, threat actors delivered malicious Office documents hidden in ZIP files as they targeted Russian organizations. When its intended victims clicked on these ZIP files, they would find themselves presented with what looks like a legitimate and indeed safe Word document. 

However, this was used to launch macros and infect the target endpoint. Once this had been achieved, the…

Source…