Security experts report that, instead of JavaScript, email-based malware distribution campaigns have switched recently to SVG attachments and malicious LNK.
Malware Uses Less Suspicious File Types
According to CSO Online, after aggressively using JavaScript email attachments to distribute malware for the past year, attackers are now tricking users by switching to less suspicious file types. Security researchers from the Microsoft Malware Protection Center have warned last week about the proliferation of a new wave of spam emails carrying malicious LNK files inside ZIP archives. Malicious PowerShell scripts were attached to these files.
According to security experts, PowerShell is a scripting language for automating administration tasks in the Windows system. In the past, this scripting language has been abused to download malware. Some malware programs are even entirely written in PowerShell.
In the recent email-based malware distribution campaign seen by Microsoft, the malicious LNK files included a PowerShell script that has the role to perform an automatic malicious action. The script is downloading and installing the Kovter click fraud Trojan without the user's knowledge. The Locky ransomware has been distributed in the past by using the same technique.
Security researchers from Intel Security warned on Thursday, Feb. 2, that PowerShell can also be used to launch directly the malicious code into memory in so-called fileless attacks. The particularity of this type of attacks is that nothing is saved to disk, so the attack is very difficult to detect by the endpoint security products.
The Intel Security researchers said that even if PowerShell execution policies are set to "Restricted," users are still not protected from fileless malware. Attackers can easily bypass these policies. As consequence, the malicious scripts are allowed to run.
In recent months, Scalable Vector Graphics (SVG) is another file type often used to distribute malware. Most of the people correctly associate SVG files with images, but less known is the fact that JavaScript code can actually be included in such files. SVG files have been used by attackers to execute JavaScript code when users open inside their browsers what users presumed to be images.
Measures To Limit Email Malware Proliferation
These scripts launch malicious file downloads, as recently reported by incident responders from the SANS Internet Storm Center. For this reason, starting Feb. 13, Google plans to block all JavaScript file attachments in Gmail, regardless of whether they're attached within archive files like ZIP or directly. Cyber criminals will be forced to find alternative file formats to hide malicious code due to such restrictions from email providers.
Email file attachments are common vectors for malware, as reported by Symantec. Exposure to risk can be limited by blocking certain common file types/extensions. However, at the expense of limiting exposure to possibly malicious files, blocking any of these files extensions will also block some valid files. Different means that email can be used to share or transfer these types of files in cases where blocked file types need to be shared.
Most mail security products have facilities to block these types of files by files extension, regardless of which product is being used. However, in this scenario, if a file is renamed it will not be blocked. Only a few mail security products can also block by the "true file type" even if it has been renamed.