Macro Threats and Ransomware Make Their Mark: A Midyear Look at the Email Landscape

Email can be considered a big business—for cybercrime.

In 2014, 196.3 billion emails were sent and received daily. Of that number, 108.7 billion were business emails. With the volume of business emails sent daily, it would be unimaginable for cybercriminals not to take advantage of email to target big businesses. And those attempts can result in million-dollar losses and stolen information. For example, it was reported that the Home Depot breach cost the company US$62M in losses while the Target breach cost US$229M.

However, it doesn’t mean that businesses aren’t the only ones vulnerable to email attacks. Based on our observations on the first half of the year, email threats do not discriminate when it comes to acquiring victims.

The first half of the year was defined by two trends in the spam landscape. The first was the continued rise of macro-based malware in spam. The second was the slew of ransomware attacks delivered via spam.

Something old made something new

In the first few months of the year, we noticed that there was a noticeable increase in macro-based threats in spammed messages. These spammed messages had attachments with Microsoft Office file extensions like .DOC, .DOCM, .XLS, and .XLSM. In Figure 1 below, we broke down the type of malware-related spam we saw throughout the months. While UPATRE (in red) is still the top type of mal-spam, we can see that macro spam (in green) has increased throughout the months.

Figure 1. Macro spam has increased throughout the months
Source: honeypot data

We also encountered emails that contained PDF attachments. These attachments actually contain embedded .DOC files. The .DOC files contain the macro that will download the malicious .EXE file once executed.

Figure 2. Sample .PDF file

But not all spammed messages related to ransomware had attachments. Other emails contained links that lead to legitimate file hosting websites like Dropbox, where the malicious file is hosted.

Figure 3. Sample spammed message with Dropbox link

Spammers may have decided to use macros for their spam runs because of the “newness” of macros. After years of relative silence, it’s only recently that malicious macros have reentered the threat landscape. Spam recipients may not be aware of the dangers of macros, allowing spammers to cast a wider net of potential victims.

Ransom(ware) letters reimagined

Spam remained a popular method of delivering ransomware to unsuspecting recipients. Two ransomware families particularly made a lot of noise during the first half of the year: Cryptowall 3.0 and TorrentLocker.

During the first quarter of the year, we came across malicious spam runs that combined file encryption with information theft. Several spammed messages contained a supposed resume attachment in ZIP files. The archived file contains a .JS or .HTML file that downloads Cryptowall and FAREIT malware onto the computer. FAREIT is known to steal credentials stored in the system’s FTP clients, web browsers, email clients and even Bitcoin wallets.

Meanwhile, we saw TorrentLocker as part of regional attacks that targeted countries such as Australia, New Zealand, and certain parts of Europe. Some of the commonly used social engineering lures used in the attacks include invoice (such as those for Bolletta and Fatura) and postal tracking notifications.

1H 2015 spam volume

We may have seen an increase in specific types of attacks but overall, there was a noticeable decline in the volume of spam as the year went on. Breaking down the total volume of spam for 1H 2015, we can see that March had the largest percentage of the six months.

Figure 4. Total spam volume for 1H 2015
Source: honeypot data

There are several factors that could explain the higher volume for the first three months of 2015. We saw recurring outbreaks involving dating, adult, and employment spam, which decreased coming into the second quarter. It’s possible that spammers may have moved on to other types of spam attacks.

Two trends continued into the second quarter of the year. We saw outbreaks of malware-related spam; these spam contain zipped attachments of downloaded malware UPATRE and macro-based malware BARTALEX. We also encountered spam containing links to newly created domains, which are often created just days before the attacks. These spammed messages often use word salad and invisible ink to bypass filters.

Upatre (still) reigns supreme

UPATRE continued its streak as the top distributed malware via spam. Last year, we noted that there was a decrease in UPATRE-related spam campaigns due to the Gameover takedown. However, activity soon picked up due to the CUTWAIL botnet. A year later, UPATRE remains on top, distributed by the CUTWAIL botnet. CUTWAIL has been in the wild since as early as 2007 and was considered one of the biggest spam botnets in 2009.

But while UPATRE might be considered “old” at this point, it still has a few tricks up its sleeve. We spotted an upgraded version of UPATRE that can disable security features—making it easier to avoid detection. We also encountered a new variant being dropped as a Microsoft-compiled HTM file (.CHM). The use of this file extension is a way to avoid suspicion: .CHM is the extension of Microsoft help files.

PLUGX and EMDIVI, top spear-phishing payloads

Email remains a popular arrival vector for targeted attacks, with 74% of targeted attack attempts using email as the gateway for infiltration.

For the first half of the year, spear-phishing emails used a variety of social engineering lures like upcoming seminars, job vacancies, and personnel issues. However, what stood out was the fact that the two most common payloads were PLUGX and EMDIVI. PLUGX is a remote access tool (RAT) used in targeted attacks aimed toward government-related institutions and key industries. EMDIVI, which first appeared in 2014, is notoriously used in targeted attacks against Japanese companies.

What’s next for spam?

While it’s hard to predict the exact steps spammers may take in the second half of the year, we can make some predictions based on past and current observations:

Macro-based malware will continue to increase, possibly using new techniques such as the use of new file extensions and new payloads.
Cryptowall spam may also experience a slight change: we foresee attackers doing away with just using the “resume” template. Newer Cryptowall spam will include other templates.
Spammers will use normal types of templates for their attacks to bypass anti-spam filters. These templates include social networking notifications, banking notifications, and tracking notifications like those for DHL and Fedex.
Some things, however, will remain the same. Spammers will continue to use holidays and other “newsworthy” events just to victimize unsuspecting users.
UPATRE will remain the top distributed malware because its small file size allows it to be easily attached to emails and/or downloaded from URLs. UPATRE can also be modified to bypass security filters—something we’ve seen in the first half of 2015.

Regardless of the next steps for spam, businesses should implement security solutions that can detect and block email threats. The Deep Discovery Email Inspector is built to detect and block targeted emails engineered to lead to a data breach. The Deep Discovery Email Inspector employs advanced malware detection engines, URL analysis, and file and web sandboxing to identify and immediately block or quarantine these emails.

Enterprises can also opt for the Trend Micro™ Smart Protection Complete Suites, which delivers the best protection at multiple layers: endpoint, application, and network using the broadest range of anti-malware techniques available.

Small businesses can protect their business from email threats with the Trend Micro™ Worry-Free Business Security. Harnessing the power of the Smart Protection Network, Worry-Free Business Security proactively stops threats before they can reach the business, limiting the impact on your systems.