Data Breach Prevention Series: Weaponized Documents are Dominant Malware Delivery Vector

By March 23, 2013 No Comments

Welcome to the October edition of Invincea’s advanced threat report series, in which we reveal the key threat trends encountered and stopped in the wild by Invincea. This post provides insight into the latest malware and attack vectors that are evading security controls such as next-generation firewalls, network sandboxes, and anti-virus – based on Invincea’s uniquely broad and global view into the threat landscape.

Weaponized Office Documents that Deliver Banking Trojans Dominate the Threatscape

In October, spear-phishing attacks using weaponized Office documents were dominant. Carefully crafted spear-phishing emails with weaponized Word and Excel documents used highly persuasive subject lines and email body text, tricking users into opening malicious attachments. These poisoned documents dropped a wide variety of Trojans, crimeware, and ransomware.

Banking information stealing Trojans like Dridex and Shifu, delivered by weaponized Office documents, were the top attack vector for the month of October. Just-In-Time assembly of malware as well as Object Link Embedding (OLE) vulnerabilities in Office documents were used in the majority of observed attacks. The volume of weaponized Office document delivery of malware far outpaced other threats from malvertising, ransomware, and other crime-ware Trojans combined. Invincea detected and stopped hundreds of these advanced attacks involving numerous malware families – attacks that bypassed all other security controls.

Despite reports that the Dridex infrastructure had been dismantled by international law enforcement with the help of security vendors, Dridex weaponized documents made a vast resurgence in early October, first targeting French banking users. In the figure below, logs show the large number of French Invincea users who were protected from Dridex infections – attacks that would have otherwise succeeded.