Password-protected files are an intelligent way in which attackers are working to evade enterprise security defenses and infect endpoints.
Not long ago, phishing attacks were nearly always delivered via email. However, today’s threat actors are increasingly targeting other channels – be it SMS, social media direct messaging and even collaboration tools – to evade common anti-malware engines, content filters and signature-based detection tools.
Across these varied platforms, password-protected files remain a common attack vector. Here, malicious payloads are hidden within seemingly benign, safe, and accepted file formats. Because the files are encrypted, security tools can’t read and analyze them. When this is done using commonly used file extensions, organizations often allow malicious files to pass through security sandboxes or automated analysis tools.
As a result, password-protected files containing malware are all too often able to evade network or gateway security defenses and endpoint detection solutions, reaching the threat actor’s target destination. Once this has been achieved, individuals are exposed to increasingly sophisticated and convincing social engineering and spear phishing tactics used by attackers to trick their targets into clicking on attachments and entering the required password, leading to infection of the endpoint.
To reiterate, this no longer happens exclusively over email. Indeed, threat actors are increasingly directing potential victims to web browsers and external storage applications, such as Dropbox and Google Drive, to the same effect.
Three Malicious Password-Protect File Attacks
Password-protected files have resulted in widespread breaches and made headlines recently – one example stemming from the North Korean Lazarus group.
Here, threat actors delivered malicious Office documents hidden in ZIP files as they targeted Russian organizations. When its intended victims clicked on these ZIP files, they would find themselves presented with what looks like a legitimate and indeed safe Word document.
However, this was used to launch macros and infect the target endpoint. Once this had been achieved, the successfully deployed Trojan would enable attackers to do everything from accessing device configuration data to modifying the system register, screen capturing what was displayed on the monitor and exfiltrating data.
A second example is from Chinese nation-state threat actor Earth Preta in a recent attack campaign which leveraged spear-phishing emails to drive victims to a cloud storage provider and ultimately trick them into downloading password-protected malicious files. If clicked, the malware would be downloaded from web browser to endpoint, providing the attackers with similarly damaging capabilities, including backdoor access, command and control privileges, and data exfiltration.
A third example is the Qbot botnet, a campaign that also delivered malware payloads via phishing emails with password-protected ZIP files containing malicious Windows Installer packages or Microsoft Office documents with malicious macros.
Stopping Evasive Attacks in their Tracks
While password-protected files are nothing new, they remain a widespread and popular technique used by many threat actors. According to HP Wolf, close to half (42%) of all malware is delivered as archive files, such as ZIP and RAR.
This largely stems from archives being easily encrypted, making it tricky for web proxies, sandboxes and email scanners to detect malware. However, despite the risk of malware-infected password-protected files, most organizations do not block them at the email gateway because of the potential impacts this can have on productivity. Unfortunately, some of the most used file types in password-protected file attacks are Microsoft Word, Microsoft Excel, PDF files, and ZIP files.
Despite this conflict of interest, organizations need to find ways to combat malicious password-protected files given the potential threats they pose. But how do they do this?
It’s important to understand that password-protected malicious files are classified as a form of Highly Evasive Adaptive Threats (HEAT) designed to avoid traditional detection-based security tools.
They are threats that take advantage of the increasing prominence of the web browser in the workplace, recognizing this as a key function of business productivity and vulnerability that can be exploited more readily in the new normal.
To combat HEAT attacks, be they those that hide malicious payloads within password-protected files or other forms of evasive threat, businesses must embrace solutions capable of stopping such attacks in their tracks from the outset.
Achieving this requires a greater focus on leveraging preventative security technologies that provide improved visibility inside the web browser activity and apply dynamic policy enforcement to prevent zero-hour attacks.
To combat modern threats, organizations require modernized defenses to identify and prevent HEAT attacks in real time.