BACKGROUND:
The ransomware group TA505 is trailblazing with mass-volume email attacks on financial institutions using retooled malware and exotic scripting languages. The cybercrime group is targeting financial enterprises with an email phishing campaign where victims are directed to a fake website that is made to look legitimate through which an excel file is downloaded which contains a macro file. It’s this file that then downloads an MSI file that eventually executes the MirrorBlast malware onto the device.
<p>We\’re seeing a dramatic resurgence of malware using phishing and malicious office documents during the pandemic due to the increase in remote work. While the typical security control recommendations like network segmentation, 2FA and patching are all helpful, there\’s one really simple thing organizations can do that stops ransomware hiding in malicious office documents in its tracks: code signing macros.</p>
<p>This can be set up once and then it\’s completely frictionless; every macro is signed automatically and unsigned macros are not allowed to run. Even if an employee clicks on a malicious office document, nothing happens. It stops the malware kill chain and dramatically reduces the security risks connected with this attack vector.</p>