The success of the Rubella Macro Builder toolkit has demonstrated that the cyber-crime-as-a-service is in rude health right across Europe.
A report from Flashpoint reveals that the toolkit has been used to create malicious macros in Microsoft Office documents sent as email attachments in massive criminal spam campaigns.
Rubella Macro Builder is fast, on sale at a lowered price of just $40 per month, and is in widespread use. It simplifies how PCs are infected by macros embedded in documents, a traditional form of attack. As with similar toolkits, much of its success has been down to the use of convincing-looking email interfaces that lure employees into activating the cyber-attack trigger mechanism.
Once that happens, the various encryption algorithms and droppers go to work, installing updated versions of the Panda banking Trojan or Gootkit banking malware. Personal details or business credentials are then harvested and bank accounts drained. Criminals also use social media platforms or lead victims to fake versions of banking websites.
Infected organisations have neglected security innovation
The success of these toolkits relies on the continuing failure of organisations to protect themselves from email-based attacks. Instead of using state-of-the-art technology such as file-regeneration, many security practitioners turn to conventional “reactive” technologies that focus on breach detection, unaware of alternatives that proactively disarm file-based malware.
It is worth asking why, given that roughly 70 per cent of successful cyber-attacks begin with the arrival of an email attachment bearing malicious code. File-regeneration is recognised as one of the most effective defences against these exploits, removing rogue code or unauthorised alterations hidden by criminals in the standard types of documents we use every day. It matches the structure of files arriving at the email gateway with file manufacturers’ standards, then rebuilds a clean version within fractions of a second.
In additional to structural threats, macros have also long been favoured by hackers because they are a legitimate document feature that almost all organisations let in by default. While the danger of malware hidden in macros is increasingly understood, toolkits like Rubella make it easier to build and embed them in Office documents, circumventing standard methods of protection.
Do not rely on the old defences or put your faith in mitigation
Conventional security best-practice is that prevention of such attacks requires anti-virus technology (AV) to be installed at email and network gateways and endpoints, layered with other technologies such as sandboxes.
AV has is role, but since it relies on prior recognition of malware, it can never keep up with the millions of malware variants released by criminals every year, nor with emerging techniques such as the Rubella toolkit.
Sandboxes, too, are inadequate. Destructive or malicious macros are often designed to activate weeks or months after they have become embedded in a system, long after the few minutes spent being examined in the sandbox. The increasing sophistication of malware exploits also enables them to recognise a sandbox environment and switch themselves off until they have evaded the security layer.
Some vendors talk up the impossibility of protecting against cyber-attacks, emphasising the role of mitigation and the deployment of artificial intelligence-based solutions that pick up aberrant patterns of data-movement, followed by rapid action to prevent significant damage. But why should organisations accept that breaches are inevitable?
File-regeneration will give full protection against macros and file-based threats
In additional to conventional threats, criminals also use a variety of newer techniques such as “file-less” malware with payloads buried deep in the document structure, activated by simply opening the file or just enabling features such macros and embedded files. These remain the most significant dangers delivered in Word, Excel, PowerPoint and PDF email attachments.
The only effective defence against all these threats lies in file-regeneration technology. Since it takes a split second to match a file against the manufacturer’s standard and then rebuild a clean version, file-regeneration does not allow any unauthorised code or non-conforming structural elements into an organisation. The technology also allows organisations to set policy ensuring that features such as macros are available to departments or individuals who need to use them, with the level of risk controlled with surgical precision.
Given the ease with which criminals can launch attacks against companies, government agencies and critical infrastructure organisations, deploying innovative solutions such as file-regeneration is now the only sensible course of action.
While it’s possible to build up passive natural immunity to the biological Rubella virus, immunity from the digital version of the virus is impossible unless organisations take the initiative and adopt more active and innovative technologies. Rather than trying to contain the damage after it’s happened, it is therefore essential that companies vaccinate themselves with file-regeneration to prevent any infection in the first place.
VP Threat Intelligence
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.