HP has revealed a number of stealthy techniques and a rise in Excel malware campaigns that are putting victims in the crosshairs of ransomware gangs.
While the world is inching towards digitalisation every second, cyber actors have found more sophisticated tools to wreak havoc on enterprises.
The HP Wolf Security threat research team identified a wave of attacks that use Excel features to bypass detection and gain access to target organisations, exposing them to data theft and destructive ransomware attacks.
One campaign using Microsoft Excel add-in files (.xll) to spread malware in one click saw a six-fold increase (+588%), with the tools to recreate the attack on sale on underground forums.
Other Excel campaigns used stealthy techniques like email thread hijacking to trick users into clicking. Even Emotet campaigns now take advantage of Excel instead of JavaScript or Word files.
By abusing legitimate tools, hiding malware in obscure file types, and sending convincing lures using thread hijacking, even low-level threat actors can carry out stealthy attacks and sell access to organised ransomware groups. This can lead to large-scale breaches that could cripple IT systems and grind operations to a halt.
HP’s key findings showed that 13% of email malware isolated had bypassed at least one email gateway scanner. In addition, threats used 136 different file extensions in their attempts to infect organisations; and 77% of malware detected was delivered via email, while web downloads were responsible for 13%.
The team has also highlighted other isolated threats. Most attackers couple Excel malware with other phishing tools to cause issues to organisations.
One of them is the QakBot spam campaign that attacks Windows processes after entering the system through compromised email accounts. The malware is perilous and finds a place in HP’s top malware family list. For attackers, Qakbot is a more sustainable alternative to Emotet after federal authorities clamped down on the botnet infrastructure last autumn.
The danger is amplified by the low cost of buying extension builder kits. HP notes that these are readily available on the dark web at around $2,100 (£1,530) per module.
Besides QakBot, the team has also warned about the return of TA505 using the MirrorBlast phishing campaign to steal financial information.
TA505 first gained notoriety in 2014 after hacking global energy sectors using Locky and TrickBot. Netherlands’s Maastricht University has been one of its recent victims and saw damage to its private files. Most of these threats were localised in nature.
Other instance include threat group Aggah, which only attacked Korean organisations using PowerPoint Trojans, and the Italian-speaking companies that were targeted by the Cutwail botnet through banking Trojan Usrnif. The campaign has already hurt at least 248 Italian enterprises.
HP also identified Dridex, BazaLoader, Raccoon Stealer, Agent Tesla, Formbook and Bitrat as major malware families capable of causing a large-scale infrastructure collapse. Attackers have also preyed consistently on Discord by creating RedLine injected websites.
For mitigation, enterprises can follow guidelines released recently by the team. Researchers have advised the engineering teams to reduce the attack surface as and when an invasion strikes. Robust identity management, hardware isolation and implementing zero trust principles should be part of an effective cyber strategy.
HP has recommended organisations to configure email gateways so the XLL-induced emails can be instantly detected and eliminated. For HP Wolf Security users, enabling Threat Forwarding and regularly updating HP Wolf Security Controller might thwart hackers.