Most threat actors these days are more mature than they were before. An organization will find out about a cyber attack on its network, in the late stages of the attack, when the damage has already been caused. However, one of the most critical stages in the cyber kill chain is the delivery of the malware.

Over the years, many malware delivery techniques have been found by threat actors, but one of the methods that has remained popular throughout the years is a phishing attack. A phishing attack is a social engineering attack in which a threat actor sends a fraudulent message to trick victims into exposing sensitive information or “”open a door”” that will let them into the organization’s network.

 

According to the most recent statistics of 2021, at least 91% of cyber attacks begin with phishing. It looks like the end-users are the weakest link in the cyber security chain, and threat actors know that.

 

Phishing attacks might be delivered by:

  • Email – containing a malicious attachment or containing a link to the malicious website.
  • Website – usually using a copy of a login page of the legitimate website (such as Paypal, Ebay, etc.).
  • SMS – redirecting a victim to a fake website or malicious download page.
  • Well know social networks like Twitter, Facebook or LinkedIn – with a request to download some resume of job candidates, a fake login page to get the user’s credentials by offering the victim coupons for discounts, etc.

 

The most common way of delivery is by email attachment pretending to be an invoice, or the hot topic of the last year, an email about COVID-19. The attachment is usually a macro embedded Excel/Word document since most organizations use a mail-relay product to prevent malicious executables of any kind from entering the inside network. The purpose of the macro will most obviously be a malicious file download from the remote Command and Control Server and its execution.

 

There are even weaponized document building tools like LCG Kit or EtterSilent.

Popular malwares downloaded following phishing attacks are Trickbot, Emotet, Ursnif, etc.

Minerva Labs has a unique approach to phishing attacks. Our simulation technology prevents the malicious activity of Microsoft Office products, including the consecutive payload delivery and its execution.

Figure 1 – Malicious excel file uses eqnedt32.exe to execute arbitrary code

 

Resources:

https://www.csoonline.com/article/2134037/strategic-planning-erm-the-practicality-of-the-cyber-kill-chain-approach-to-security.html
https://www2.deloitte.com/my/en/pages/risk/articles/91-percent-of-all-cyber-attacks-begin-with-a-phishing-email-to-an-unexpected-victim.html