How We Stop Email Malware – Part 1

email malware

Email malware has been around for years, starting in the early ’90s and being very prolific until today, mostly by leveraging vulnerabilities and malicious macros.

Filtering spam and phishing emails is not an easy job, but among the extra traits we own compared to traditional anti-spam filters is the fact that our filters are much more complex and bundle a plethora of features and individual scanners.

Our current Local Cloud or Hosted Cloud setups enable us to maintain email continuity and deliver high performance filters to customers for a spam, phishing and malware free environment.

Let’s first take a look at the most common types of Email Malware.

Email malware doesn’t discriminate between targets most of the time, except when cyber-criminals acquire well-targeted email lists from spammers for targeted attacks, meaning that cyber-criminals target wider groups of individuals with spam and malware.

Besides the wider target, another issue is that compared to malware spread via other vectors, the cyber-criminals know your email address even if they don’t currently have access to your computer or even know your IP address. Thus setting a shipping-point enables them to spread malware fast and infect computers in a small timeframe.

These “blitz” campaigns are an essential element for cyber-criminals, because in this time they  attempt to bypass some security measures and infect more computers, depending on a large number factors, such as zero-day vulnerabilities, unpatched services, and so on.

Now what’s so important about email malware? Most malware, using email as an attack vector, is spread via attachments containing malicious scripts or macros that in most cases leverage vulnerabilities.

This means that the usual “hosts” are Microsoft Office documents, PDF files or ZIP archives. It is obvious that executables (.exe, .bat, .cmd, .dll, .js, .bat, and so on) are the most direct approach to infect someone via email but in this case, they are less relevant as cyber-criminals look to cloak their scripts or executables and use the “back door” as an infection vector.

MS Office Documents

Microsoft Office documents are well known for carrying malicious macros. Macros are small scripts within a file/program used to automate simple tasks.

Word or Excel documents are often used to bundle malicious macros that download malware payloads, such as spyware, ransomware, rootkits, or other trojans for example.

Macro malware-laden documents masquerade as sales invoices, tax payments, resumes, courier notification or donation confirmations.

Let’s take a quick peek at how malicious macros work. For example, the user receives the email with a Word document attached and downloads it on his computer. Next, out of “pure curiosity”, he opens the document, in which case there are two options:

One – he has macros enabled and the malicious macro ends up running. Two – macros are disabled but he can’t view anything in the document (“text” is blurred, scrambled or just gibberish) and he is required to enable macros in order to see the contents of that document properly. In both cases, the user ends up infecting his computer.

Now after the macro is running, it downloads the binary payload(s) and properly infects the computer, with for example ransomware or financial trojans that steals credit card data and credentials for financial services.

A good recent example is this fake traffic ticket scam reported on HoaxSlayer, that uses a Word document with malicious macros to download malware on the victim’s computer.

Stay tuned for Part Two! Until Friday, get the best protection against email malware with SpamExperts!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s