Microsoft warns of multiple malspam campaigns carrying malicious disk image files
Microsoft says its advanced machine learning threat detection models have helped its staff detect multiple malicious spam (malspam) campaigns distributing disk image files infected with malware.
The campaign, detected last week, is using COVID-19 lures (email subject lines) to trick users into downloading and running ISO or IMG file attachments.
In a series of tweets today, Microsoft said these files are infected with a version of the Remcos remote access trojan (RAT), which gives attackers full control over the infected hosts.
Microsoft says the attackers have been persistent and have launched multiple different spam runs, targeting companies across different industries, in multiple countries across the globe. The biggest ones include spam runs like:
- A Remcos campaign going after US small businesses looking to get disaster loans. In this case, companies received emails pretending to be from the US Small Business Administration (SBA), carrying a malicious IMG (disk image) attachment. The IMG file contained an executable file that uses a misleading PDF icon. When run, the executable file installs the Remcos RAT.
- A campaign targeting manufacturing companies in South Korea. Attackers sent target organizations an email that impersonates CDC's Health Alert Network (HAN) that was carrying malicious ISO file attachments. The ISO file contained a malicious SCR file, which installed Remcos.
- Another Remcos campaign targeted accountants in the US, with emails purporting to contain "COVID-19 related updates" for members of the American Institute of CPAs. The attachment was a ZIP archive containing the ISO + SCR combination seen in the South Korean campaign.
The end goal of this operation is currently unknown; however, the threat actors could be looking to scout companies for future attacks, such as ransomware, BEC scams, or industrial espionage.
"The main thing that we really wanted to call out, and why it caught our attention, is because of the COVID-19 lures and also [because of] the slightly different techniques we found and the types of attachments they are sending," Tanmay Ganacharya, Director for Security Research of Microsoft Threat Protection, told ZDNet in an interview.
"They're using image files and ISO files, which is not super common. It's not like this is the first time ever we have seen it, but it is also not like extremely common for attackers to do this."
Companies receiving these types of email attachments are advised against running the attached files.
These ongoing attacks were uncovered after Microsoft detected some suspicious behavior across Defender installs.
96% of today's threats are files unique per machine
Ganacharya credited Microsoft's bet on machine learning as the reason the company spotted this campaign in the first place.
Today, Microsoft's antivirus product has evolved from the ancient and antiquated techniques of detecting malware based on file signatures.
Ganacharya says that malware polymorphism (malware that mutates at regular intervals) and fileless malware (malware that runs solely in the RAM, with no traces on disk) are now widely used. This puts antivirus vendors always one step behind most malware operations, if the antivirus is solely relying on detecting the presence of a known bad file.
"The threat landscape has changed so significantly with fileless attacks, with polymorphism. In 96+ percent of threats we see around the world [...], it's a unique file per machine," Ganacharya said.
Instead, Ganacharya says that Microsoft Defender is now relying on machine learning for detecting suspicious behavior happening on a host and raising alerts for its engineers to investigate.
In all of this, Defender's machine learning models are now the company's primary weapon against unknown malware attacks and threat actors, helping Microsoft detect attacks at their earliest points.
"We've been making a lot of investments over the last three-four years," the Microsoft exec said. "We've been making quite a lot of investments in terms of adding engines to Defender, around capturing sequence of behaviors, capturing content of the file itself, client-side machine learning model engine, cloud-side machine learning model engines.
"So the way we think about it is for the unknown threats, for the new and emerging threats, we rely heavily, very heavily, on machine learning doing either content classification or behavior sequence classification.
"You will see many times in our products [that] patient zero gets saved by some of these types of models," Ganacharya said.