Phishing Campaign Uses “Broken” File Attachment to Disguise Malware

opened padlocks on keyboard

A phishing campaign used a “broken” file attachment to help its malware payload evade detection by both automated and manual analysis tools.

Cofense Intelligence discovered the phishing campaign in the spring of 2019. The security organization didn’t elaborate on what each of the attack emails looked like. That’s because the email itself wasn’t the most significant part of the campaign.

It was another story for the attachment, however. This file was a malicious document that, when opened, dropped an embedded object as a partial executable. “Partial” is the key word here. The executable didn’t come with an MZ file header, something which the Windows operating system uses to interpret the contents of a file.

Consequently, most anti-virus tools figured that the file was broken. In fact, just seven out of 59 security engines detected the partial executable as malicious. Those security solutions didn’t flag it because the campaign successfully exploited what’s known as “information overload.”

As Cofense Intelligence explains in a blog post:

Information overload is a serious problem for any enterprise. To quickly process and prioritize information, both analysts and technical defenses will sometimes ignore “broken” files that do not run. If these files are recognized as a threat, analysts are often still forced to prioritize more obviously damaging malware instead of fixing a “broken” sample.

But the campaign didn’t end there. It was actually just getting started.

The operation waited until the partial executable dropped on a victim’s computer before it exploited CVE-2017-11882, a memory corruption vulnerability affecting certain versions of Microsoft Office. This allowed the attackers to run arbitrary code by downloading the contents of a file. In this particular case, the nefarious individuals downloaded “~F9.TMP,” a file which contained “MZ” as its contents.

At that point, the campaign added the substance of “~F9.TMP” into “~AFER125419.TMP,” a file which shared its name with the object embedded in the original executable. The campaign then took the combined .TMP file, used it to create an executable and copied it to the Windows Startup folder. Doing so granted the malware persistence, as it ensured that the newly created executable would run at each bootup of the infected machine.

Countering Advanced Attack Techniques with Advanced Defense

Those responsible for this campaign protected themselves on numerous fronts against detection by initially serving up just a partial executable. First, as the file requires the web to build its MZ header, the digital attackers effectively shielded the partial executable from analysis within a sandbox environment, technology which by default lacks web access. Second, these malefactors all but guaranteed that the file would evade detection if anything ever happened to the download script (such as if the attackers took it down for some reason). Lastly, they constructed the script in such a way that it would create two 2-byte files that would display an error message if it was ever downloaded separately and run, thereby creating the illusion of “broken” functionality.

Acknowledging all of these factors, Cofense Intelligence deemed that the campaign was “almost certain to evade detection as malicious.” It went on to state that organizations stood the best chance against campaigns such as these by investing in a solution that leverages both human intuition and threat automation.

The folks at Zix couldn’t agree more. The campaign described above did in fact target ZixProtect customers. But these attack attempts were for naught, as Zix’s email security solution blocked 100 percent of those threats with filters dating back to mid-March of 2018. This just goes to show how ZixProtect’s ability to create filters offers a uniquely in-depth level of protection while allowing legitimate emails to come through.

Learn more about the ZixProtect advantage today.