HP Warns of Cybercriminals Using Excel Malware

<p><b>PALO ALTO<&sol;b> – HP Inc&period; has released its latest global <a href&equals;"https&colon;&sol;&sol;threatresearch&period;ext&period;hp&period;com&sol;hp-wolf-security-threat-insights-report-q4-2021&sol;">HP Wolf Security Threat Insights Report&comma;<&sol;a> providing analysis of real-world cybersecurity attacks&period; By isolating threats that have evaded detection tools and made it to user endpoints&comma; HP Wolf Security has specific insight into the latest techniques being used by cybercriminals&period;<&sol;p>&NewLine;<p>The HP Wolf Security threat research team has identified a wave of attacks utilizing Excel add-in files to spread malware&comma; helping attackers to gain access to targets&comma; and exposing businesses and individuals to data theft and destructive ransomware attacks&period; There was a huge six-fold increase <b>&lpar;&plus;588&percnt;&rpar;<&sol;b> in attackers using malicious Microsoft Excel add-in &lpar;&period;xll&rpar; files to infect systems compared to last quarter – a technique found to be particularly dangerous as it only requires one click to run the malware&period; The team also found adverts for &period;xll dropper and malware builder kits on underground markets&comma; which make it easier for inexperienced attackers to launch campaigns&period;<&sol;p>&NewLine;<p>Additionally&comma; a recent QakBot spam campaign used Excel files to trick targets&comma; using compromised email accounts to hijack email threads and reply with an attached malicious Excel &lpar;&period;xlsb&rpar; file&period; After being delivered to systems&comma; QakBot injects itself into legitimate Windows processes to evade detection&period; Malicious Excel &lpar;&period;xls&rpar; files were also used to spread the Ursnif banking Trojan to Italian-speaking businesses and public sector organizations through a malicious spam campaign&comma; with attackers <a href&equals;"https&colon;&sol;&sol;www&period;brt&period;it&sol;alert-malware">posing as Italian courier service BRT<&sol;a>&period; New campaigns spreading Emotet malware are now using Excel instead of JavaScript or Word files too&period;<&sol;p>&NewLine;<p>Other notable threats isolated by the HP Wolf Security threat insight team include&colon;<&sol;p>&NewLine;<ul>&NewLine;<li><b>The return of TA505&quest; <&sol;b>HP identified a MirrorBlast email phishing campaign sharing many tactics&comma; techniques&comma; and procedures &lpar;TTPs&rpar; with TA505&comma; a financially motivated threat group known for massive malware spam campaigns and monetizing access to infected systems using ransomware&period; The attack targeted organizations with the FlawedGrace Remote Access Trojan &lpar;RAT&rpar;&period;<&sol;li>&NewLine;<li><b>Fake gaming platform infecting victims with RedLine&colon; <&sol;b>A spoofed Discord installer website has been discovered&comma; tricking visitors into downloading the RedLine infostealer and stealing their credentials&period;<&sol;li>&NewLine;<li><b>Switching up uncommon file types is still bypassing detection&colon;<&sol;b> The Aggah threat group targeted Korean-speaking organizations with malicious PowerPoint add-in &lpar;&period;ppa&rpar; files disguised as purchase orders&comma; infecting systems with remote access Trojans&period; PowerPoint malware is unusual&comma; making up 1&percnt; of malware&period;<&sol;li>&NewLine;<&sol;ul>&NewLine;<p>&OpenCurlyDoubleQuote;Abusing legitimate features in software to hide from detection tools is a common tactic for attackers&comma; as is using uncommon file types that may be allowed past email gateways&period; Security teams need to ensure they are not relying on detection alone and that they are keeping up with the latest threats and updating their defenses accordingly&period; For example&comma; based on the spike in malicious &period;xll sightings we are seeing&comma; I’d urge network administrators to configure email gateways to block incoming &period;xll attachments&comma; only permit add-ins signed by trusted partners or disable Excel add-ins entirely&comma;” explains Alex Holland&comma; Senior Malware Analyst&comma; HP Wolf Security threat research team&comma; HP Inc&period;<&sol;p>&NewLine;<p>&OpenCurlyDoubleQuote;Attackers are continually innovating to find new techniques to evade detection&comma; so it’s vital that enterprises plan and adjust their defenses based on the threat landscape and the business needs of their users&period; Threat actors have invested in techniques such as email thread hijacking&comma; making it harder than ever for users to tell friend from foe&period;”<&sol;p>&NewLine;<p>The findings are based on data from the many millions of endpoints running HP Wolf Security&period; HP Wolf Security tracks malware by opening risky tasks in isolated&comma; micro Virtual Machines &lpar;micro-VMs&rpar; to understand and capture the full infection chain&comma; helping to mitigate threats that have slipped past other security tools&period; This has let customers click on over 10 billion email attachments&comma; web pages&comma; and downloads with no reported breaches&lbrack;i&rsqb;&period; By better understanding the behavior of malware in the wild&comma; HP Wolf Security researchers and engineers can bolster endpoint security protection and overall system resilience&period;<&sol;p>&NewLine;<p>Other key findings in the report include&colon;<&sol;p>&NewLine;<ul>&NewLine;<li> 13&percnt; of email malware isolated had bypassed at least one email gateway scanner&period;<&sol;li>&NewLine;<li>Threats used 136 different file extensions in their attempts to infect organizations&period;<&sol;li>&NewLine;<li> 77&percnt; of malware detected was delivered via email&comma; while web downloads were responsible for 13&percnt;&period;<&sol;li>&NewLine;<li> The most common attachments used to deliver malware were documents &lpar;29&percnt;&rpar;&comma; archives &lpar;28&percnt;&rpar;&comma; executables &lpar;21&percnt;&rpar;&comma; spreadsheets &lpar;20&percnt;&rpar;&period;<&sol;li>&NewLine;<li>The most common phishing lures were related to the New Year or business transactions such as &OpenCurlyDoubleQuote;Order”&comma; &OpenCurlyDoubleQuote;2021&sol;2022”&comma; &OpenCurlyDoubleQuote;Payment”&comma; &OpenCurlyDoubleQuote;Purchase”&comma; &OpenCurlyDoubleQuote;Request” and &OpenCurlyDoubleQuote;Invoice”&period;<&sol;li>&NewLine;<&sol;ul>&NewLine;<p>&OpenCurlyDoubleQuote;Today&comma; low-level threat actors can carry out stealthy attacks and sell access onto organized ransomware groups&comma; leading to large-scale breaches that could cripple IT systems and grind operations to a halt&comma;” said Dr&period; Ian Pratt&comma; Global Head of Security for Personal Systems&comma; HP Inc&period;<&sol;p>&NewLine;<p>&OpenCurlyDoubleQuote;Organizations should focus on reducing the attack surface and enabling quick recovery in the event of compromise&period; This means following Zero Trust principles and applying strong identity management&comma; least privilege and isolation from the hardware level&period; For example&comma; by isolating common attack vectors such as email&comma; browsers or downloads using micro-virtualization&comma; any potential malware or exploits lurking within are contained&comma; rendering them harmless&period;”<&sol;p>&NewLine;