A discussion of a particularly nasty strain of malware downloader and what you need to know to keep yourself, your business and your employees protected.
Conventional wisdom tells us that if you’re trying to keep your employees, your clients and ultimately your business safe from virtual harm, a little bit of old-fashioned common sense goes a long way. You’ve likely already been investing in ongoing security training, making sure that you and your team know how to identify a phishing email when you see one or know how to spot a rogue download coming from a mile away.
But what happens if even this isn’t enough to get the job done? What if there was a new and terrifying form of malware that could infect any PC in its path, even if the user never clicked on any suspicious-looking links in the first place? It sounds like a nightmare scenario, doesn’t it?
Unfortunately, that’s precisely the type of situation that we now find ourselves in. Security researchers from Trend Micro and Dodge This Security recently uncovered a technique that cyber criminals have been using around the world. An advanced malware downloader could potentially uninstall a banking Trojan horse on your computer – even if you never “accidentally” gave it permission.
21st Century Cyber Terror
Generally speaking, Trojan horses in the past have been limited in scope because they require some type of input from the user in order to execute. A file doesn’t just appear on your hard drive – you have to give it permission, usually while you think you’re downloading something totally legitimate. Even at that point, in an enterprise environment, a password will typically have to be provided. These two barriers have been enough to stop a large number of potential cyber attacks… until now.
The new banking Trojan discovered by security researchers simply requires that the user hovers their mouse pointer over a hyperlink in a carrier PowerPoint file. At that point, the damage has already been down – the Trojan has infected the machine and there is little that can be done about it.
Research reveals that this technique has already been incredibly successful, striking victims around the world. It has been seen in various companies and organizations all across Europe, in the Middle East and even in Africa.
The good news is that you can still train your employees to avoid this type of situation – you just need to take your old techniques and update them with a new spin. In most cases, victims received an email that was usually finance related. They would get an email supposedly from a client or colleague with a subject line like “Invoice” or “Order Number.” The PowerPoint presentation – which itself was fairly harmless – was contained inside.
Once that PowerPoint presentation was viewed in a browser (as many popular options like Firefox or Apple’s Safari have the capability to do), users could easily be exposed to the rogue link and the virus hiding just behind it.
Embedded inside the link, which typically reads “Loading, Please Wait…”, is a malicious PowerShell script. Because of the nature of PowerShell, users don’t have to actually click it – they just have to hover over it. As this is a technique commonly used to check for rogue links in the first place (hovering your mouse over a link will usually give you a peak at the associated URL), it has been particularly damaging in many situations.
Equally, good news is the fact that if a computer is running a newer version of Microsoft’s Office productivity suite, end users will STILL need to approve the malware’s download before it has the opportunity to infect a PC. This is because more modern versions of Microsoft Office have a feature called “Protected View,” which automatically displays a prompt identifying something as a “potential security concern” as soon as a script tries to execute itself.
Once a computer is infected, it can easily steal everything from user credentials to bank account information and more in seconds.
This is just another in a long line of examples as to why ongoing security training is so essential for your employees. Every computer connected to your office network is a potential vulnerability just waiting to be exploited by someone who knows what they’re doing. If even one user falls victim to this attack, it could bring your entire network to its knees.
As always in terms of cyber security, the best defense is absolutely a good offense. In addition to making sure that your employees are aware of attacks like these, you’ll want to make it a priority for your IT team to update all software whenever possible. Many don’t realize that updates to productivity suites like Microsoft Office don’t just come with fancy new features and sleek new graphical user interfaces – they usually also include bug fixes and security patches designed to stop attacks like these from happening.
As far as this particular malware downloader is concerned, research indicates that it seems to have died down after almost 1500 detections at the end of May 2017. However, it is always a possibility that this was just a test run for something far bigger and more sinister that could make its way across the planet at some point in the not-too-distant future. Whether or not we’ll be seeing an increased use of this downloader at some point soon remains to be seen, but it’s still a good idea to prepare your team accordingly just in case.
Invotec is incredibly proud to act as your one-stop source for all of the breaking news, tips, tricks and best practices you need to not only keep you and your employees safe from digital threats but to wield the full might of modern technology to your advantage. If you’re in or around the Melbourne area and would like to find out more information about this topic, or if you have any additional questions that you’d like to get more specific answers to, please don’t delay – give us a call at 1300 INVOTEC or send us a message at firstname.lastname@example.org today.