Two state-sponsored cybergangs, one Russian, one North Korean, have been using malware embedded in Microsoft products to launch espionage attacks on targets in Western Asia and the United States.
Russia-affiliated group using Excel for espionage attacks
A recent report from Trellix reveals that an attacker believed to be Russia-sponsored APT28, aka Fancy Bear, launched an espionage attack targeting high-ranking government officials in a Western Asia nation, including individuals involved in the defense industry, national security, and the prime minister’s office.
The attacks start with malware hidden in an Excel downloader that is likely delivered via email, along with an attached Excel spreadsheet. The downloader exploits CVE-2021-40444, “Microsoft MSHTML Remote Code Execution Vulnerability,” a known vulnerability.
To avoid detection, the attack is cleverly executed in several different stages. Within a few of these steps, the attackers get control of the victim’s system through Microsoft OneDrive.
The researchers concluded the attack was a very advanced level espionage attack because of the careful targeting and the sophisticated malware and infrastructure used in the attack.
North Korean entity using Windows Update to attack US defense industry
A North Korean cyber-attacker known as “Lazarus” is exploiting the “revolving door” that keeps workers moving between federal government posts and defense industry jobs to conduct espionage. Lazarus is no slouch: He (or perhaps they) is best known for launching the massive “WannaCry” ransomware attack that infected hundreds of thousands of computers in 2017.
For about a year, Lazarus has been running a “Dream Job” phishing campaign that lures government employees with information about attractive Lockheed Martin job opportunities. Attachments to the emails, Word files entitled Lockheed_Martin_JobOpportunities.docx, and Salary_Lockheed_Martin_job_opportunities_confidential.doc, contain malicious macros. Once unleashed, part of the process installs a DLL using the Windows Update Client. This approach evades detection-based anti-malware programs, and lets Lazarus in.
Protecting your network
These attacks highlight why relying on user training and detection-based anti-malware software cannot protect against today’s attacks. Phishing emails are increasingly sophisticated, in some cases are highly targeted with very attractive “bait.”
Cybercriminals continue to discover new ways to evade detection-based security, as in the two examples above.
In response to attacks like these, Microsoft recently announced changes that will make it more difficult to distribute malware via macros embedded in Office documents including Excel, Word and Powerpoint. Users will no longer be able to enable macros in documents distributed via the internet with a click of an “Enable Editing” button that’s displayed at the top. Instead, they will have to go into the document properties to “unblock” the document. While this adds welcome protection, it does not “kill” malware delivery via Office macros, as some coverage claims, only makes successful delivery somewhat harder to achieve. And of course, this “fix” has no impact non-Office attachments.
ZTEdge Web Isolation is a much stronger approach. It stops attacks that leverage weaponized attachments, regardless of what kind of documents are used and even if users open the attachment and enable macros.
Using Remote Browser Isolation (RBI), ZTEdge Web Isolation opens email attachments and examines them in isolated containers located in the cloud, using Content Disarm and Reconstruction (CDR) technology. Malware is disabled and rendered harmless, and the file is reconstructed with desired functionality intact. The disarmed file is downloaded to the user, while any malware that has been activated is destroyed along with the container, keeping users, endpoints and networks safe.