Bit chas: hackers steal accounts using corrupted files
Cybercriminals have begun attacking users with corrupted Microsoft Word documents, experts have warned. The danger of such attacks is that email security systems cannot recognize "broken" files and mark them as malicious. Details on how hackers attack users with damaged MS Word documents and what is the danger of the new threat - in the material "Izvestia".
How hackers began to use "broken" files
The Hacker News reported that cybercriminals have begun to attack users using corrupted MS Word documents, citing experts from Any Run, a company and the cloud service of the same name for analyzing suspicious files and URLs.
According to the experts, e-mail security tools usually scan all e-mail attachments for malicious content before the user receives them. However, if a file is corrupted, security systems cannot recognize it and therefore do not mark it as malicious.
Word itself is able to repair corrupted files and make them readable. And this is the main threat. At this point, e-mail security systems no longer scan the files, so users receive malicious content. In one of the cases detected by Any Run specialists, such content was a QR code that led to a phishing Microsoft 365 login page.
Experts emphasize that such files successfully work in the operating system, but they are not seen by most security tools, including the popular VirusTotal. The reason is that antivirus solutions are simply unable to properly analyze this type of harmful files.
How new cyberattacks by hackers work
Hackers often use Microsoft Word as a delivery vehicle for malicious software (VPO). Therefore, in the situation described by Any Run experts, it is more appropriate to talk about exploiting vulnerabilities in e-mail security tools and antiviruses, says Maxim Alexandrov, an expert in software products at the Security Code company, in a conversation with Izvestia.
- Cybercriminals began to use attacks using "broken" files when they discovered that it was possible and effective. At least until IS specialists find a way to solve the problem," he explains.
The very idea of such an attack is not new, says Shaih Galiev, head of the PT Sandbox expertise department at Positive Technologies' anti-virus laboratory. According to him, most protection tools rely on static analysis of file formats. Damaged files make it possible to disrupt the format definition by the analyzer and bypass protection tools.
And the programs in which the VPO is delivered cope with such damage and successfully open the file. This is what happens in case of a new attack: Microsoft Word successfully restores the file, the user sees the phishing QR code, clicks on it and infects the device with viruses.
- Hackers have found another way to bypass protection and use it in various phishing emails," confirms Anton Kargin, an expert of the malware analysis group (MAG) of the Solar 4RAYS Cyber Threat Research Center of Solar Group.
According to him, if the first VPOs of this type contained QR codes that redirected the victim to a phishing page to steal credentials, then in the future documents with other types of malicious payloads, including macros and even downloading remote templates, may appear.
What are the dangers of cyberattacks using "broken" files?
The main target for attacks using corrupted Word documents may be employees who work with a large number of documents, explains Maya Pasova, a leading information security consultant at R-Vision. Accountants, lawyers or HR managers who have been victims of phishing attacks many times before are at risk.
- Fraudsters can send VPOs under the guise of important documents: invoices, contracts and reports, and then use social engineering to force a person to open them," warns the Izvestia interlocutor.
If they succeed, malicious code is launched on the victim's computer. The scheme is effective because employees are not always aware of the basic rules of cyber hygiene, and companies do not train their employees, emphasizes Maya Pasova.
Maxim Alexandrov specifies that "broken" files carry two main threat vectors. First, if the hackers' legend works and the victim opens a malicious email, the data will be compromised.
- Second, sometimes the VPO remains hidden from antivirus, and the user may not even know that hackers have gained access to their computer. This means that attackers can do anything they want, such as steal confidential data," says the specialist.
Viktor Gulevich, Director of the Information Security Competence Center at T1 Integration, adds that both of these scenarios are fraught with leakage of confidential information, as well as theft of credentials and other critical information. This, in turn, can lead to significant financial losses, reputational damage and disruption of company operations. In addition, corrupted files can be used to install backdoors or other malware.
How to protect yourself from new cyberattacks by hackers
In order to protect yourself from new cyberattacks by hackers related to "broken" files, first of all, you should not follow links from them to unknown sites. Especially if the letter is received from an unfamiliar contact, advises Dmitry Ovchinnikov, head of the laboratory of strategic development of cybersecurity products of the analytical center of cybersecurity "Gazinformservice".
- Those who do click on such links should be especially careful when entering their personal data. Phishing sites are very well disguised as real ones, so it is necessary to compare literally to the letter, to which site you went, - says the expert.
In addition, it is necessary to regularly update various software, as new versions and patches developers are constantly eliminating certain vulnerabilities, which increases the passive security of the user, Maxim Alexandrov adds. When it comes to security at the company level, Maya Pasova recommends regularly training employees and informing them about new methods of fraudsters.
