Microsoft Office 365 users are the newest victims of a massive phishing attacks designed to blackmail them into opening malware files. The malicious files are hosted in SLK files whih also include a new infection mechanism.
New Intrusion Technique Used To Scam Microsoft Office 365 Users To Open SLK Files
Computer criminals are constantly looking for new methods to infect potential malicious users. In this particular case the criminals have focused on users of the Microsoft Office 265 users. For this reason the hacking group has devised a new infection strategy that is described as a novel approach for bypassing the default security of the application. The strategy that is devised by the attackers is the bypassing of the Microsoft Office 365 options, including the advanced security provisions.
The infection strategy involves the use distribution of SLK files which are attached in phishing email messages targeted at the users. The hackers can attempt to use several strategies:
- Phishing Email Messages — The hackers will impersonate companies and service which are known to the victims. These messages will contain stolen or faked graphics and content that will look like the actual sites. By opening them the files can be linked or attached.
- SPAM Messages — Messages that are sent in bulk can be used as carriers for the infection. In this case generic scenarios can be programmed to carry the threats.
- Malware Carrier Files — The infection may be made part of carrier files that will install the threat as soon as they are run. Examples are macro-infected documents (from all popular formats) and application bundle installers — the hackers will insert the relevant code in the setup files of software that is often installed by end users.
The attacks starts with execution of the attached SLK files. They contain a malicious macro script that will launch the relevant delivery mechanism responsible for downloading the malware code. This will deploy a remote access Trojan which will allow the hackers to take over control of the infected machines. This is done by installing a local client on the system that will establish a connection to a hacker-controlled server operated by the criminal group.
The actual SLK file is a text-based format which is used in spreadsheets software (like Microsoft Excel) which is not often used. However it still used in some instances and can be opened by most modern versions of the program. In this case not a lot of organizations have been impacted — it is very possible that this is done in a targeted campaign.
For this particular attack the campaign was directed from Hotmail hosted inboxes. They are the senders of the malware emails and include dangerous files including macros. The hackers will use various characters including ^ to bypass the email security filters — this will evade certain anti-virus checks. The actual URL will also be split in two parts which will prevent the security system from reading it as a web link.
Seeing how these attacks continue to be sent against companies and services it is very possible that the hackers will continue with the intrusion attempts in the future.