Shulou(Shulou.com)06/01 Report--

What are the most common malicious email attachments that are infected with Windows? I believe many inexperienced people are at a loss about this. Therefore, this article summarizes the causes and solutions of the problem. Through this article, I hope you can solve this problem.

To ensure network security, everyone needs to identify malicious attachments in phishing emails that are commonly used to spread malware.

When malware spreads, attackers create spam campaigns disguised as invoices, invitations, payment messages, shipping messages, e-mails, voicemails, etc. These emails contain malicious Word and Excel attachments or links that will install malware on your computer when opened and macros enabled.

However, before Word or Excel executes macros in the document, Office asks you to click the "enable Editing" or "enable content" buttons, but this must not be done.

Do not click "enable content" on the attachment you receive

To trick users into clicking these buttons, malware communicators create Word and Excel documents containing text and images that point to problems with displaying the document, and then prompt the recipient to click "enable content" or "enable Editing" to view the content correctly.

The combination of text and pictures in these malicious attachments is called "document templates". The following are different document templates used in spam activities for some of the broader malware infections, and it is important to note that these document templates can also be used for different malware. In addition, this is a more common template example, but there are many other templates.

BazarLoader

BazarLoader is a piece of malware aimed at enterprises, developed by the same organization behind the "TrickBot" Trojan. When installed, attackers use BazarLoader/BazarBackdoor to remotely access your computer and then use it to attack the rest of your network.

When a network is infected by BazarLoader, attackers usually end up deploying Ryuk ransomware to encrypt all devices on the network.

Phishing emails that spread BazarBackdoor through phishing usually contain links to Google Docs and Word or Excel documents on Google forms.

However, these Google documents disguise themselves as problems and prompt you to download them. This download is actually an executable file to install BazarLoader, as shown below.

BazarLoader: fake Google documents managed attachments

Dridex

Dridex is an advanced, modular bank Trojan, first discovered in 2014 and constantly updated.

After infection, Dridex downloads different modules that can be used to steal passwords, provide remote access to the computer, or perform other malicious activities.

When Dridex enters the network, it usually leads to deployment of BitPaymer or Dridex blackmail software attacks.

Another ransomware called WastedLocker is also related to Dridex, but a cyber security company disagrees with these assessments. Unlike other malware dissemination activities, Dridex gang tends to use more formatted document templates to display small or obscure content and prompt you to click to make the content clearer.

For example, the following template declares that the document was created in an earlier version of Microsoft Office Word and shows a document that is difficult to read below.

Dridex: created in previous versions of Word

Dridex also uses more stylized document templates, disguised as shipping information for DHL and UPS.

Dridex: forged DHL shipping information

Finally, Dridex will display some difficult-to-read payment invoices, prompting you to click "enable Editing" to view it correctly.

Dridex:Intuit 's forged invoice

As you can see from the above example, Dridex likes to use images of embedded documents with a company logo and header to entice users to enable macros.

Emotet

Emotet is the most widely distributed malware in spam that contains malicious Word or Excel documents. Once infected, Emotet will steal the victim's email and send more spam to recipients around the world through the infected computer.

Users infected with Emotet will eventually be further infected with Trojans, such as TrickBot and QakBot. Both Trojans are used to steal passwords, cookie, and files, and cause damage to the organization throughout the network.

Eventually, if you are infected with TrickBot, the network is likely to be affected by Ryuk or Conti ransomware attacks. Users affected by QakBot may be attacked by ProLock ransomware.

Unlike Dridex, Emotet does not use the image of the actual document in its document template. Instead, they use a variety of templates that display warning boxes that indicate that you cannot view the document correctly and that the user needs to click "enable content" to read the document.

For example, the "Red Dawn" template shown below declares "this document is protected" and then prompts you to enable content to read it.

Dridex: "this document is protected" template

The next template pretends not to open correctly because it was created on the iOS device.

Emotet: creating on iOS Devic

Another theory is that the file was created on the Windows 10 mobile device, which is strange news because the Windows 10 mobile device has been out of production for some time.

Emotet: create on a Windows 10 phone

The next template pretends that the document is in the "Protected view", and the user needs to click "Enable Editing" to view it correctly.

Emotet: protected view

The next template is more interesting because it tells the user to accept the Microsoft license agreement before viewing the document.

Emotet: accept the license agreement

Another interesting template, disguised as the Microsoft Office Activation Wizard, prompts the user to "enable editing" to complete the activation of Office.

Emotet:Office Activation Wizard

Finally, it is well known that Emotet uses a document template disguised as a Microsoft Office conversion wizard.

Emotet: conversion wizard

As you can see, instead of using formatted document templates, Emotet uses general warnings to try to persuade users to enable macros in attachments.

QakBot

QakBot or QBot is a bank Trojan that spreads through phishing activities that usually send malicious Microsoft Word documents to enterprises.

QakBot is a modular Trojan that can steal bank information, install other malware, or provide remote access to infected devices.

Like other Trojans mentioned in this article, QakBot works with a blackmail virus called ProLock, and ProLock is usually the ultimate payload of an attack. QakBot activities tend to use more stylized document templates than Emotet. The most common template masquerade used by QakBot spam activities comes from DocuSign, as shown below.

QakBot:DocuSign template

Other templates include templates that masquerade from the Microsoft Defender or Word update and activation screens, such as the following.

QakBot:Word update and activation vulnerabilities

All executable file attachments

Finally, never open attachments that end with .vbs, .js, .exe, .ps1, .jar, .bat, .com, or .scr extensions, because they can all be used to execute commands on your computer.

Because most e-mail services, including Office and Gmail, block "executable" attachments, malware disseminators send them to password-protected files and include the password in the email, a technology that allows executable attachments to bypass the email security gateway and reach the intended recipient.

JAR attachment

Unfortunately, Microsoft decided to hide the file extension by default, allowing an attacker to trick users into running insecure files. Therefore, BleepingComputer strongly recommends that all Windows users enable the display of file extensions.

If you receive an email containing one of the executable file types, it is almost certainly malicious and you should delete it immediately.

After reading the above, do you know what are the most common malicious email attachments that are infected with Windows? If you want to learn more skills or want to know more about it, you are welcome to follow the industry information channel, thank you for reading!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.