On 1 December 2017, PhishMe Intelligence™ identified a new delivery technique for Sigma ransomware, which was most likely employed to evade automated detection and mitigation by email and anti-malware defenses. Potential victims received phishing emails with an embedded image as the message body that also included an attached Microsoft Office document containing a malicious macro. The embedded image contained a password that could be used to open the Microsoft Office document.
Compared to previous deliveries disclosed by PhishMe® in November that included the password in the email body, these Sigma ransomware operators have changed the distribution method to include the password in an embedded image, as seen in figure 1. The inclusion of a password and a seemingly protected document was almost certainly intended to make the email appear more legitimate to the victim.
Figure 1 – Threat actors embed an image in the message body containing a password to access the attached Word document; Threat ID 10406
In both delivery methods, once the supplied password is entered to open the Microsoft Word attachment, the document requests that the user enable macros. This allows the embedded macro to retrieve and download the Sigma ransomware, thereby infecting the machine and encrypting the victims files.
This simple evolution in Sigma delivery demonstrates how threat actors can employ the most rudimentary of solutions to bypass security controls and gateways. Perimeter defenses rely on specific attributes of messages and their attachments to detect malware content. A phishing campaign that uses this technique may bypass gateways and sandbox technology by anticipating common detection schemes based on keywords and interrogation of the message content and attachments. While humans can read the instructions displayed as an image in the email, a machine cannot. Automated defenses cannot analyze what they cannot interrogate, preventing the identification and mitigation of such phishing deliveries, thereby putting enterprises at risk.
These emails are yet another example of how operators of a simple ransomware will try clever and varied techniques to entice victims to enable their malware to run. Therefore, it is critical to recognize and educate network users about new themes and tactics, such as including a password in a malicious document to establish “legitimacy”, and to continuously implement proper controls that prevent the delivery of phishing emails.
Don’t ever miss another threat – sign up for PhishMe® Threat Alerts today and receive updates on new and emerging phishing and malware threats, completely free.