Recently, we discovered malware in the wild in the form of document files, such as PDF and Word, using password protection. The malware are used as attachments in email in limited, targeted attacks.
Passwords for document files are commonly used to prevent unauthorized access to the files by encrypting them with passwords. However, attackers are misusing the password feature to encrypt files, most likely to make it difficult for security products to detect them as malware. It also makes reverse-engineering the files difficult because they need to be decrypted before analysis can be performed.
These malware themselves aren’t anything special. They are no different to the common attachments used in typical targeted attacks except for the fact that they require passwords to be opened. Various office suite software includes a password encryption feature, so document files are not the only type that can be used for this sort of attack. Besides files for word processors, spreadsheet and presentation programs are also affected.
In the past, we have often seen password-protected email attachments, but these have usually been archive files. The attachments themselves are not usually detected but the files inside the archive are detected when they are extracted. For this particular attack, however, the attached document files themselves are password-protected, meaning the files are encrypted. This technique prevents security products from recognizing the exploit code as well as the malicious code inside the file. It also makes detection difficult for unknown malware. We can provide protection by detecting the encrypted files themselves as long as we are able to acquire the files and add detection for them. Again, due to the encryption, heuristic detection is difficult for these types of password-protected files as well.
This however doesn’t mean that we can’t prevent infection with security products. Even if the malicious document file goes undetected and the exploit runs to either drop or download further malware, which is the common payload of targeted attacks, protection against the dropped/downloaded malware doesn’t require anything special. They are detected like any other malware. So in case someone falls for this new trick and clicks on the document file and enters the password provided in the body of the email sent to the target, traditional detection as well as proactive detection can detect the dropped or downloaded file like any other type of attack.
While the attackers have now added an extra trick to their repertoire, as long as multi-layered defence is used, risk of infection shouldn’t be any higher than other types of targeted attacks.
Leave a reply