As WannaCry shows, cyber criminals are always looking for a new angle for the next big attack. An angle that’s making a big comeback lately is an attack sent via email asking for the user to enable macros.
Barracuda’s researchers have located what appears to be the source of this threat as coming from St Petersburg, Russia.
This phishing attack uses a few different techniques:
- Send an intimidating email to the recipient from what looks like an authoritative department, containing a Microsoft Office document.
- If the attached file is opened, and if macros are not enabled, the recipient may get a warning that says the document “contains macros.” Macros pose a security risk because someone with malicious intent can actually introduce a destructive macro in a document or file to launch an attack.
- The scary thing is that running the macro doesn’t require any interaction from the user aside from simply opening the file. If the recipient enables macros or if the recipient already has macros enabled in their Microsoft Office configuration — the malicious payload will run immediately.
- The payload could be anything, but of course the most popular payload these days is ransomware. If ransomware happened to be the payload here, the malicious software would silently encrypt every file on the computer once the document was opened.
- This is a great example of how easy it could be to launch a ransomware attack through email, and like we witnessed with the WannaCry attack — things can get bad really fast.
Sent by Russia:
While analysing this particular threat we also took a look at the domain that the attackers used for a bit more background. We found that the domain was actually created in January and the location of the IP address of the SMTP server is in France, however, when we looked up the A record for the domain, we found it to be in St. Petersburg Russia. All this really shows is how spread across the globe these types of attacks can be, but not actually where the attackers are located — they could really be anywhere.
Take Action:
Companies should assume that they will be attacked and need to be proactive. Regular employee training is incredibly important to ensure people remain aware of attempts like the one illustrated here. Layering employee training with security technologies like sandboxing and advanced threat protection should block malware before it ever reaches the corporate mail server. Additionally, you can deploy anti-phishing protection with Link Protection to look for links to websites that contain malicious code. Links to these compromised websites are blocked, even if those links are buried within the contents of a document.
